Vehicle and autonomous driving system

ABSTRACT

A vehicle comprises an autonomous driving system and a vehicle platform that controls the vehicle in response to a command received from the autonomous driving system. In the present vehicle, when the autonomous driving system issues a first command to request the vehicle platform to provide deceleration to stop the vehicle and a first signal indicates 0 km/h or a prescribed velocity or less, the autonomous driving system issues a second command to request the vehicle platform to maintain stationary. And after brake hold control is finished, a second signal indicates standstill. Until the second signal indicates standstill, the first command continues to request the vehicle platform to provide deceleration.

This nonprovisional application is based on Japanese Patent ApplicationNo. 2020-015719 filed with the Japan Patent Office on Jan. 31, 2020, theentire contents of which are hereby incorporated by reference.

BACKGROUND Field

The present disclosure relates to a vehicle and an autonomous drivingsystem, and more specifically to a technology used to autonomously drivea vehicle.

Description of the Background Art

Japanese Patent Laid-Open No. 2018-132015 discloses a technology used toautonomously drive a vehicle. In the technology described in JapanesePatent Laid-Open No. 2018-132015, an autonomous driving ECU having afunction to sense a vicinity of a vehicle is provided to the vehicleseparately from an engine ECU, and the autonomous driving ECU issues aninstruction to the engine ECU via an in-vehicle network. The ECU formanaging the power of the vehicle and the ECU for autonomous drivingthat are independent from each other allow an autonomous drivingfunction to be added without significantly changing an existing vehicleplatform. In addition, it is expected that a third party shouldaccelerate development of an autonomous driving function.

SUMMARY

It is also conceivable to make an autonomous driving systemretrofittable to a vehicular body having a vehicle platform incorporatedtherein. However, a technique allowing a vehicle platform toappropriately perform vehicle control in response to a command receivedfrom such an autonomous driving system has not yet been established, andthere remains room for improvement.

The present disclosure has been made in order to address the aboveissue, and contemplates a vehicle and autonomous driving system capableof appropriately maintaining stationary when a vehicle platform carriesout vehicle control in response to a command received from theautonomous driving system.

In a first aspect of the present disclosure, a vehicle comprises anautonomous driving system and a vehicle platform that controls thevehicle in response to a command received from the autonomous drivingsystem. The autonomous driving system sends to the vehicle platform acommand including a first command to request acceleration anddeceleration and a second command to request to maintain stationary. Theautonomous driving system obtains a first signal indicating alongitudinal velocity of the vehicle and a second signal indicating astandstill status. In the present vehicle, when the autonomous drivingsystem issues the first command to request the vehicle platform toprovide deceleration to stop the vehicle and the first signal indicates0 km/h or a prescribed velocity or less, the autonomous driving systemissues the second command to request the vehicle platform to maintainstationary. And after brake hold control is finished, the second signalindicates standstill. Until the second signal indicates standstill, thefirst command continues to request the vehicle platform to providedeceleration.

According to the above configuration, acceleration of the vehicle issuppressed in response to a request through the first command fordeceleration even after the vehicle is stopped (that is, even after thefirst signal indicates 0 km/h or a prescribed velocity or less). Thus,when the vehicle platform carries out vehicle control in response to acommand received from the autonomous driving system, the vehicle can beappropriately maintained stationary (that is, brake hold control can becarried out appropriately).

In the above configuration, a trigger to issue the second command torequest to maintain stationary may be that the first signal indicates 0km/h or that the first signal indicates a prescribed velocity or less.The prescribed velocity may be a value which is small to an extentallowing the vehicle to be regarded as being stationary (e.g.,approximately 0 km/h).

The first command may continue to request a constant deceleration valueduring a period from when the second command requests to maintainstationary until the second signal indicates standstill. Further, theconstant deceleration value may be −0.4 m/s². According to the aboveconfiguration, a state of the vehicle when the vehicle is stopped iseasily stabilized by simple control.

In the above vehicle, the autonomous driving system may further obtain athird signal indicating a moving direction of the vehicle. In such avehicle, the brake hold control may be started when the first commandrequests deceleration, the second command requests to maintainstationary, and the third signal indicates standstill. According to theabove configuration, maintaining the vehicle stationary (that is, brakehold control) is easily, appropriately performed. The third signal mayindicate a standstill when a prescribed number of wheels of the vehiclecontinue a speed of 0 for a prescribed period of time.

In the above vehicle, when the autonomous driving system issues thefirst command to request the vehicle platform to provide deceleration tostop the vehicle, and thereafter, before the brake hold control isfinished the request through the first command for deceleration iscancelled, transitioning to the brake hold control may be canceled.According to the above configuration, inappropriately maintaining thevehicle stationary (that is, inappropriate brake hold control) can besuppressed.

In the above vehicle, when the autonomous driving system issues thesecond command to request the vehicle platform to maintain stationary,and thereafter, before the brake hold control is finished the requestthrough the second command to maintain stationary is cancelled,transitioning to the brake hold control may be canceled. According tothe above configuration, inappropriately maintaining the vehiclestationary (that is, inappropriate brake hold control) can besuppressed.

In the above vehicle, after the brake hold control is finished andthereafter the request through the second command to maintain stationarystill continues, the vehicle may continue standstill while the requestthrough the second command to maintain stationary continues. Accordingto the above configuration, the vehicle can continue standstill (thatis, a state of being maintained stationary) in response to the secondcommand.

The above vehicle may include an electric parking brake. In the vehicle,an electric parking brake may be activated when the second signalcontinues to indicate standstill for a prescribed period of time.According to such a configuration, brake hold control is finished andthereafter when a prescribed period of time elapses the electric parkingbrake can further be applied to enhance maintaining the vehiclestationary.

In the above vehicle, when, in order to start the vehicle, theautonomous driving system cancels brake hold control by setting thesecond command, the vehicle platform may controlacceleration/deceleration of the vehicle based on the first command.According to this configuration, the vehicle can be appropriatelystarted in response to a command received from the autonomous drivingsystem.

In a second aspect of the present disclosure a vehicle comprises avehicle platform that controls the vehicle and a vehicle controlinterface that mediates communication of a signal between the vehicleplatform and an autonomous driving system. By attaching the autonomousdriving system to the vehicle, the vehicle platform can carry outautonomous driving control of the vehicle in response to a commandreceived from the autonomous driving system. The autonomous drivingsystem sends to the vehicle platform through the vehicle controlinterface a command including a first command to request accelerationand deceleration and a second command to request to maintain stationary.The vehicle control interface outputs to the autonomous driving system afirst signal indicating a longitudinal velocity of the vehicle and asecond signal indicating a standstill status. When the autonomousdriving system issues the first command to request the vehicle platformto provide deceleration to stop the vehicle and the first signalindicates 0 km/h or a prescribed velocity or less, the vehicle controlinterface requests the autonomous driving system to issue the secondcommand to maintain stationary. The vehicle control interface requeststhe autonomous driving system to continuously transmit the first commandto request deceleration until the second signal indicates standstill inresponse to the second command.

The vehicle does not comprise an autonomous driving system. However,when the autonomous driving system is retrofitted to the vehicle, theabove-described control comes to be carried out when the autonomousdriving system stops the vehicle. That is, even after the vehicle isstopped, acceleration of the vehicle is suppressed in response to arequest through the first command for deceleration. The vehicle can thusbe appropriately maintained stationary when the vehicle platform carriesout vehicle control in response to a command received from theautonomous driving system.

In a third aspect of the disclosure, an autonomous driving systemcomprises a computer that sends a command to a vehicle platform. Thecommand that computer sends to the vehicle platform includes a firstcommand to request acceleration and deceleration and a second command torequest to maintain stationary. The computer obtains a first signalindicating a longitudinal velocity of the vehicle and a second signalindicating a standstill status. When the computer issues the firstcommand to request the vehicle platform to provide deceleration to stopa vehicle and the first signal indicates 0 km/h or a prescribed velocityor less, the computer issues the second command to request the vehicleplatform to maintain stationary. Until the second signal indicatesstandstill in response to the second command, the computer issues thefirst command to continue to request the vehicle platform to providedeceleration.

According to the above configuration, the above-described control comesto be carried out when the autonomous driving system stops the vehicle.That is, acceleration of the vehicle is suppressed in response to arequest through the first command for deceleration even after thevehicle is stopped. The vehicle can thus be appropriately maintainedstationary when the vehicle platform carries out vehicle control inresponse to a command received from the autonomous driving system.

The foregoing and other objects, features, aspects and advantages of thepresent disclosure will become more apparent from the following detaileddescription of the present disclosure when taken in conjunction with theaccompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram generally showing a MaaS system to which a vehicleaccording to an embodiment of the present disclosure is applied.

FIG. 2 is a diagram showing details in configuration of a vehiclecontrol interface, a vehicle platform, and an autonomous driving systemthat the vehicle shown in FIG. 1 comprises.

FIG. 3 is a flowchart of a process performed by the autonomous drivingsystem in autonomous driving control according to an embodiment of thepresent disclosure.

FIG. 4 is a flowchart of a process performed in the vehicle for settingan actual moving direction according to an embodiment of the presentdisclosure.

FIG. 5 is a flowchart of brake hold control carried out in an autonomousmode according to an embodiment of the present disclosure.

FIG. 6 is a flowchart of EPB control carried out in the autonomous modeaccording to an embodiment of the present disclosure.

FIG. 7 is a flowchart of deceleration control carried out in theautonomous mode according to an embodiment of the present disclosure.

FIG. 8 is a flowchart of start control carried out in the autonomousmode according to an embodiment of the present disclosure.

FIG. 9 is a flowchart of acceleration control carried out in theautonomous mode according to an embodiment of the present disclosure.

FIG. 10 is timing plots representing an exemplary operation of a vehicleautonomously driven in the autonomous mode according to an embodiment ofthe present disclosure.

FIG. 11 is a diagram of an overall configuration of MaaS.

FIG. 12 is a diagram of a system configuration of a MaaS vehicle.

FIG. 13 is a diagram showing a typical flow in an autonomous drivingsystem.

FIG. 14 is an example of timing plots of an API involved in stopping andstarting the MaaS vehicle.

FIG. 15 is an example of timing plots of an API involved in a shiftchange of the MaaS vehicle.

FIG. 16 is an example of timing plots of an API involved in locking awheel of the MaaS vehicle.

FIG. 17 is a diagram representing a limit value of variation in tireturning angle.

FIG. 18 is a diagram for illustrating intervention by an acceleratorpedal.

FIG. 19 is a diagram for illustrating intervention by a brake pedal.

FIG. 20 is a diagram of an overall configuration of MaaS.

FIG. 21 is a diagram of a system configuration of a vehicle.

FIG. 22 is a diagram showing the vehicle's power feeding configuration.

FIG. 23 is a diagram for illustrating a strategy taken until the vehicleis safely brought to a standstill when a failure occurs.

FIG. 24 is a diagram showing an arrangement of representative functionsof the vehicle.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Embodiments of the present disclosure will now be described in detailhereinafter with reference to the drawings, in which identical orcorresponding components are identically denoted and will not bedescribed repeatedly.

FIG. 1 is a diagram generally showing a MaaS (Mobility as a Service)system to which a vehicle according to the present embodiment isapplied.

Referring to FIG. 1, the MaaS system comprises a vehicle 1, a dataserver 500, an MSPF (Mobility Service Platform) 600, and autonomousdriving-related mobility services 700.

Vehicle 1 includes a vehicular body 10 and an ADK (Autonomous DrivingKit) 20.

Vehicular body 10 includes a vehicle control interface 110, a VP(Vehicle Platform) 120, and a DCM (Data Communication Module) 130. ADK20 includes an ADS (Autonomous Driving System) 200 for autonomouslydriving vehicle 1. Vehicle control interface 110 mediates communicationof a signal between VP 120 and ADS 200. ADK 20 is actually attached tovehicular body 10 although FIG. 1 shows vehicular body 10 and ADK 20 atpositions distant from each other. In the present embodiment, ADK 20 hasits body attached to a roof top of vehicular body 10. Note, however,that where ADK 20 is mounted can be changed as appropriate.

Vehicle 1 is configured to be autonomously drivable. When vehicle 1 isautonomously driven, VP 120 and ADS 200 communicate signals with eachother via vehicle control interface 110, and VP 120 carries out travelcontrol (that is, autonomous driving control) in an autonomous mode inresponse to a command received from ADS 200. ADK 20 is removable fromvehicular body 10. Even when vehicular body 10 has ADK 20 removedtherefrom, the user can drive the vehicle to cause the vehicle to travelwith vehicular body 10 alone. When the vehicle travels with vehicularbody 10 alone, VP 120 carries out travel control in a manual mode (thatis, in response to the user's operation).

In the present embodiment, ADS 200 communicates signals with vehiclecontrol interface 110 through an API (Application Program Interface)defining each signal to be communicated. ADS 200 is configured toprocess various signals defined by the API. For example, ADS 200 createsa driving plan for vehicle 1 and outputs various commands to vehiclecontrol interface 110 through the API for causing vehicle 1 to travel inaccordance with the created driving plan. Hereinafter, each of thevarious commands output from ADS 200 to vehicle control interface 110will also be referred to as an “API command.” Further, ADS 200 receivesvarious signals indicating states of vehicular body 10 from vehiclecontrol interface 110 through the API, and reflects the received statesof vehicular body 10 in creating the driving plan. Hereinafter, each ofthe various signals that ADS 200 receive from vehicle control interface110 will also be referred to as an “API signal.” An API command and anAPI signal both correspond to signals defined by the API. Details inconfiguration of ADS 200 will be described hereinafter (see FIG. 2).

Vehicle control interface 110 receives various API commands from ADS200. When vehicle control interface 110 receives an API command from ADS200, vehicle control interface 110 converts the API command into aformat of a signal that can be processed by VP 120. Hereinafter, an APIcommand converted into a format of a signal that can be processed by VP120 will also be referred to as a “control command.” When vehiclecontrol interface 110 receives an API command from ADS 200, vehiclecontrol interface 110 outputs to VP 120 a control command correspondingto the API command.

Vehicle control interface 110 outputs to ADS 200 various API signalsindicating states of vehicular body 10. In the present embodiment, VP120 detects a state of vehicular body 10 and sequentially sends varioussignals (e.g., a sensor signal or a status signal) indicating the stateof vehicular body 10 to vehicle control interface 110 in real time.Vehicle control interface 110 receives a signal from VP 120 and uses thereceived signal to obtain an API signal as described above. Vehiclecontrol interface 110 may determine a value for the API signal based onthe signal received from VP 120, or may convert the signal received fromVP 120 (i.e., a signal indicating a state of vehicular body 10) to aform of an API signal. Thus, vehicle control interface 110 obtains anAPI signal in which a value indicating a state of vehicular body 10 isset, and vehicle control interface 110 outputs the obtained API signalto ADS 200. From vehicle control interface 110 to ADS 200, the APIsignal indicating the state of vehicular body 10 is sequentially outputin real time.

In the present embodiment, a less versatile signal defined by, forexample, an automobile manufacturer is communicated between VP 120 andvehicle control interface 110, and a more versatile signal (for example,a signal defined by an open API) is communicated between ADS 200 andvehicle control interface 110. Vehicle control interface 110 converts asignal between ADS 200 and VP 120 to allow VP 120 to control vehicle 1in response to a command received from ADS 200. By attaching ADS 200 tovehicular body 10 having VP 120 incorporated therein, VP 120 can performautonomous driving control for vehicular body 10 in response to acommand received from ADS 200. Note, however, that vehicle controlinterface 110 functions not only to convert a signal, as describedabove. For example, vehicle control interface 110 may make adetermination, as prescribed, and send a signal based on a result of thedetermination (e.g., a signal for making notification, an instruction,or a request) to at least one of VP 120 and ADS 200. Details inconfiguration of vehicle control interface 110 will be describedhereinafter (see FIG. 2).

VP 120 includes various systems and various sensors for controllingvehicular body 10. Commands are sent from ADS 200 to VP 120 throughvehicle control interface 110. VP 120 carries out vehicle controlvariously in response to commands received from ADS 200 (morespecifically, control commands corresponding to API commands sent by ADS200). Various commands for causing vehicle 1 to travel in accordancewith a driving plan as described above are transmitted from ADS 200 toVP 120, and vehicle 1 is autonomously driven by VP 120 carrying outvehicle control variously in response to the commands. Details inconfiguration of VP 120 will more specifically be described hereinafter(see FIG. 2).

DCM 130 includes a communication I/F (interface) allowing vehicular body10 to communicate with data server 500 wirelessly. DCM 130 outputsvarious vehicle information such as a velocity, a position, and anautonomous driving state to data server 500. Further, DCM 130 forexample receives from autonomous driving-related mobility services 700through MSPF 600 and data server 500 various types of data fortravelling of an autonomously driven vehicle including vehicle 1 managedby mobility services 700.

MSPF 600 is an integrated platform to which various mobility servicesare connected. In addition to autonomous driving related-mobilityservices 700, various mobility services (not shown) (for example,various mobility services provided by a ride-share company, acar-sharing company, an insurance company, a rent-a-car company, and ataxi company) are connected to MSPF 600. Various mobility servicesincluding mobility services 700 can use various functions that areprovided by MSPF 600 through an API published on MSPF 600, depending onservice contents.

Autonomous driving-related mobility services 700 provide mobilityservices using an autonomously driven vehicle including vehicle 1.Mobility services 700 can obtain various types of information (forexample, driving control data of vehicle 1 communicating with dataserver 500, and information stored in data server 500) from MSPF 600through an API published on MSPF 600. Further, mobility services 700 cantransmit various types of information (for example, data for managementof an autonomously driven vehicle including vehicle 1) to MSPF 600through the API.

MSPF 600 publishes an API for using various types of data on vehicularstate and vehicular control necessary for development of an ADS, and anADS provider can use as the API the various types of data stored in dataserver 500 on vehicular state and vehicular control necessary fordevelopment of the ADS.

FIG. 2 is a diagram showing details in configuration of vehicle controlinterface 110, VP 120 and ADS 200 that vehicle 1 comprises.

Referring to FIG. 2 together with FIG. 1, ADS 200 includes an ADC(Autonomous Driving Control) computer 210, an HMI (Human MachineInterface) 230, sensors for perception 260, sensors for pose 270, and asensor cleaning 290.

ADC computer 210 includes a processor and a storage device for storingautonomous driving software, and is configured to be capable ofexecuting the autonomous driving software by the processor. Theabove-described API is executed by the autonomous driving software.

HMI 230 is a device allowing a user and ADC computer 210 to communicateinformation therebetween. HMI 230 may include an input device to receivean input (including a voice input) from a user, and a notificationdevice to notify the user of information. For example, ADC computer 210may notify the user of prescribed information (e.g., an autonomousdriving state, or occurrence of failure) through the notificationdevice. The user can use the input device to instruct or request ADCcomputer 210, change values of parameters used in the autonomous drivingsoftware that are permitted to be changed, and the like. HMI 230 may bea touch panel display which functions as both the input device and thenotification device.

Sensors for perception 260 include various sensors which obtainenvironment information that is information for perceiving anenvironment external to vehicle 1. Sensors for perception 260 areconfigured to obtain environment information of vehicle 1 and output theenvironment information to ADC computer 210. The environment informationis used for autonomous driving control. In the present embodiment,sensors for perception 260 include a camera that captures an imagearound vehicle 1 (including its front and rear sides) and an obstacledetector (e.g., a millimeter-wave radar and/or lidar) that detects anobstacle by an electromagnetic wave or a sound wave. Note, however, thatthe sensors are not limited as such, and any sensor suitable forobtaining environment information used for autonomous driving controlmay be adopted as sensors for perception 260. ADC computer 210 canrecognize, for example, a person, an object (e.g., another vehicle, apole, a guard rail and the like), and a line (e.g., a center line) on aroad that are present in a range perceivable from vehicle 1 by usingenvironment information received from sensors for perception 260.Artificial intelligence (AI) or an image processing processor may beused for recognition.

Sensors for pose 270 are configured to obtain pose information, which isinformation regarding a pose of vehicle 1, and output the poseinformation to ADC computer 210. Sensors for pose 270 include varioussensors to sense vehicle 1's acceleration, angular velocity, andposition. In the present embodiment, sensors for pose 270 include an IMU(Inertial Measurement Unit) and a GPS (Global Positioning System). TheIMU for example detects vehicle 1's acceleration in each of thevehicle's longitudinal, lateral and vertical directions, and detectsvehicle 1's angular velocity in each of the vehicle's roll, pitch, andyaw directions. The GPS detects the position of vehicle 1 by usingsignals received from a plurality of GPS satellites. Combining an IMUand a GPS to measure a pose with high accuracy is a technique known inthe field of automobiles and aircraft. ADC computer 210 may for exampleuse such a known technique to measure a pose of vehicle 1 from the poseinformation.

Sensor cleaning 290 is a device to remove soiling from a sensor (forexample, sensors for perception 260) exposed to external air outside thevehicle. For example, sensor cleaning 290 may be configured to use acleaning solution and a wiper to clean a lens of the camera and an exitof the obstacle detector.

Hereinafter, how vehicle control interface 110 and VP 120 included invehicular body 10 are configured will be described. In vehicular body10, for better safety, a prescribed function (for example, braking,steering, and locking the vehicle) is provided with redundancy.Vehicular body 10 includes a plurality of systems to implementequivalent functions.

Vehicle control interface 110 includes VCIBs (Vehicle Control InterfaceBoxes) 111 and 112. Each of VCIBs 111 and 112 is an ECU (ElectronicControl Unit) functioning as an interface and a signal converter betweenADS 200 and VP 120. Each of VCIBs 111 and 112 is communicativelyconnected to ADC computer 210. VCIBs 111 and 112 are both connected to asystem constituting VP 120. Note, however, that, as shown in FIG. 2,VCIB 111 and VCIB 112 are partially different in to what they areconnected. VCIB 111 and VCIB 112 are mutually communicatively connected.Each of VCIBs 111 and 112 can operate alone, and even when one VCIBfails, the other normally operates, and vehicle control interface 110thus normally operates.

Each of VCIBs 111 and 112 includes a processor, a RANI (Random AccessMemory), and a storage device. As the processor, for example, a CPU(Central Processing Unit) can be employed. The storage device isconfigured to be able to hold stored information. As the storage device,for example, a ROM (Read Only Memory) and/or a rewritable nonvolatilememory can be employed. The storage device stores a program, and inaddition, information (e.g., various parameters) used in the program. Aprocess of vehicle control interface 110, which will be describedhereinafter (see FIGS. 4 to 9), is performed by the processor executinga program stored in the storage device (e.g., a program using the APIdescribed above). These processes may be performed by any of VCIBs 111and 112 or may be performed by VCIBs 111 and 112 cooperating when theyboth normally operate.

In the present embodiment, VP 120 and ADS 200 perform CAN (ControllerArea Network) communication with each other via vehicle controlinterface 110. The API described above is executed periodically asdefined for each API. However, a system in which VP 120 and ADS 200communicate is not limited to the CAN, and may be changed asappropriate.

When any failure occurs in one of the redundant systems of VP 120, VCIBs111 and 112 switch/shut down a control system to cause a normal systemto operate properly. This maintains a function of VP 120 (e.g., braking,steering, and locking the vehicle).

VP 120 includes brake systems 121A and 121B. Each of brake systems 121Aand 121B includes a plurality of braking mechanisms provided to eachwheel of vehicular body 10, a braking actuator serving as an actuatorfor driving each braking mechanism, and a control device that controlsthe braking actuator. The braking mechanism may be, for example, ahydraulic disc brake that applies braking force to a wheel throughhydraulic pressure adjustable by the actuator. The control devicecontrols the braking actuator in response to a user operation (forexample, a brake pedal operation) in the manual mode, and controls thebraking actuator in response to a control command received from VCIBs111 and 112 in the autonomous mode. The control device of brake system121A and the control device of brake system 121B may be communicativelyconnected to each other. Brake systems 121A and 121B both implement abraking function and can operate alone. Therefore, even when one brakesystem fails, the other normally operates, and vehicular body 10 can bebraked.

VP 120 further includes a wheel speed sensor 127. Wheel speed sensor 127is provided to each wheel of vehicular body 10 and senses a rotationspeed of each wheel. A result of sensing by wheel speed sensor 127 istransmitted to vehicle control interface 110. In the present embodiment,the rotation speed of each wheel sensed by wheel speed sensor 127 isoutput from wheel speed sensor 127 to brake system 121B, and from brakesystem 121B to VCIB 111.

VP 120 further includes steering systems 122A and 122B. Each of steeringsystems 122A and 122B includes a steering mechanism capable of adjustingand varying a steering angle of a steering wheel of vehicle 1, asteering actuator serving as an actuator for driving the steeringmechanism, and a control device that controls the steering actuator. Thesteering mechanism may be, for example, a rack and pinion type EPS(Electric Power Steering) capable of adjusting a steering angle by theactuator. The control device controls the steering actuator in responseto a user operation (e.g., a steering-wheel operation) in the manualmode, and controls the steering actuator in response to a controlcommand received from VCIBs 111 and 112 in the autonomous mode. Thecontrol device of steering system 122A and the control device ofsteering system 122B may be communicatively connected to each other.Steering systems 122A and 122B both implement a steering function andcan operate alone. Therefore, even when one of steering systems 122A and122B fails, the other normally operates, and vehicular body 10 can thusbe steered.

Pinion angle sensors 128A and 128B are connected to steering systems122A and 122B, respectively. Each of pinion angle sensors 128A and 128Bsenses a pinion angle. The pinion angle is a rotation angle of a piniongear coupled to a rotation shaft of the steering mechanism or thesteering actuator. The pinion angle represents a tire turning angle.Results of sensing by pinion angle sensors 128A and 128B are transmittedto vehicle control interface 110. In the present embodiment, the pinionangle sensed by pinion angle sensor 128A is output from pinion anglesensor 128A to steering system 122A and from steering system 122A toVCIB 111. The pinion angle sensed by pinion angle sensor 128B is outputfrom pinion angle sensor 128B to steering system 122B and from steeringsystem 122B to VCIB 112.

VP 120 further includes an EPB (Electric Parking Brake) system 123A anda P (parking)-Lock system 123B.

EPB system 123A includes an EPB (electric parking brake) that appliesbraking force to at least one wheel of vehicular body 10, and a controldevice that controls the EPB. The EPB is provided separately from thebraking mechanism described above, and locks the wheel by an electricactuator. The EPB may be configured to lock the wheel by operating adrum brake by the electric actuator for parking brakes. Further, the EPBmay be configured to lock the wheel by adjusting by the electricactuator the hydraulic pressure of a hydraulic system different from theabove-described braking actuator. The control device controls the EPB inresponse to a user operation in the manual mode, and controls the EPB inresponse to a control command received from VCIBs 111 and 112 in theautonomous mode.

P-Lock system 123B includes a P-Lock mechanism provided in thetransmission of vehicular body 10, a P-Lock actuator serving as anactuator for driving the P-Lock mechanism, and a control device thatcontrols the P-Lock actuator. The P-Lock mechanism may be, for example,a mechanism to lock a position of rotation of the output shaft of thetransmission by fitting a parking lock pawl, which is positionallyadjustable by an actuator, into a gear (a lock gear) coupled to arotational element in the transmission and thus provided. The controldevice controls the P-Lock actuator in response to a user operation inthe manual mode, and controls the P-Lock actuator in response to acontrol command received from VCIBs 111 and 112 in the autonomous mode.

EPB system 123A and P-Lock system 123B both implement a vehicle lockingfunction and can operate alone. Therefore, even when one of EPB system123A and P-Lock system 123B fails, the other operates normally, andvehicular body 10 can be locked. The control device of EPB system 123Aand the control device of P-Lock system 123B may be communicativelyconnected to each other.

VP 120 further includes a propulsion system 124, a PCS (Pre-CrashSafety) system 125, and a body system 126.

Propulsion system 124 includes a shift device that determines a shiftrange (that is, a propulsion direction) and a driving device thatimparts propulsive force to vehicular body 10. The shift device has ashift lever operated by the user, and in the manual mode, the shiftdevice switches a shift range in response to a user operation (that is,a shift lever operation). In the autonomous mode, the shift deviceswitches a shift range in response to a control command received fromVCIBs 111 and 112. The driving device includes, for example, a batterythat stores electric power for traveling, a motor generator thatreceives electric power from the battery to rotate a wheel of vehicularbody 10, and a control device that controls the motor generator. Thecontrol device controls the motor generator in response to a useroperation (for example, an accelerator pedal operation) in the manualmode, and controls the motor generator in response to a control commandreceived from VCIBs 111 and 112 in the autonomous mode.

PCS system 125 uses a camera/radar 129 which is a camera and/or a radarto carry out vehicle control to mitigate or avoid damage caused bycollision. PCS system 125 is communicatively connected to brake system121B. PCS system 125 for example uses camera/radar 129 to determinewhether there is a possibility of a collision, and when PCS system 125determines that there is a possibility of a collision, PCS system 125requests brake system 121B to increase a braking force.

Body system 126 includes body-related components (e.g., a directionindicator, a horn, and a wiper) and a control device that controls thebody-related components. In the manual mode, the control device controlsthe body-related components in response to a user operation, and in theautonomous mode, the control device controls the body-related componentsin response to a control command received from VCIBs 111 and 112.

While in VP 120 according to the present embodiment a control device isprovided for each control system, the number of control devices can bechanged as appropriate. For example, one control device may beconfigured to integrally control each control system.

Vehicle 1 according to the present embodiment is a four-wheel electricvehicle (EV) which does not include an engine (an internal combustionengine). However, vehicle 1 is not limited thereto, and may be aconnected car (e.g., a hybrid vehicle) provided with an engine. Thenumber of wheels that vehicle 1 includes is not limited to four wheels,and may be changed as appropriate. Vehicle 1 may include three wheels orfive or more wheels.

Vehicle 1 is configured to switchable between an autonomous mode and amanual mode. An API signal that ADS 200 receives from vehicle controlinterface 110 includes a signal Autonomy_State indicating whethervehicle 1 is in the autonomous mode or the manual mode. The user canselect either the autonomous mode or the manual mode via a prescribedinput device. The prescribed input device may be an input device (notshown) included in vehicular body 10 (for example, vehicle controlinterface 110 or VP 120). When any mode is selected by the user, vehicle1 enters the selected mode, and the selection result is reflected in theAutonomy_State. However, when vehicle 1 is not in an autonomouslydrivable state, the vehicle does not transition to the autonomous modeeven when the user selects the autonomous mode. Autonomy_Stateindicating the current mode of the vehicle (i.e., the autonomousmode/the manual mode) is sequentially output from vehicle controlinterface 110 to ADS 200 in real time. In an initial state (that is,when vehicle 1 is started), vehicle 1 is in the manual mode. ADS 200 maybe configured to obtain Autonomy_State through HMI 230 (see FIG. 2).

When vehicle 1 is in the autonomous mode, ADS 200 executes the API totransmit a command for autonomous driving control to VP 120. FIG. 3 is aflowchart of a process performed by ADS 200 in autonomous drivingcontrol according to the present embodiment. The process shown in thisflowchart is repeatedly performed periodically as corresponding to theAPI (i.e., in accordance with an API period) when vehicle 1 is in theautonomous mode.

Referring to FIG. 3 together with FIGS. 1 and 2, in step (hereinaftersimply referred to as “S”) 11, ADS 200 obtains current information ofvehicle 1. For example, ADC computer 210 obtains environment informationand pose information of vehicle 1 from sensors for perception 260 andsensors for pose 270. In the present embodiment, regardless of whethervehicle 1 may be in the autonomous mode or the manual mode, an APIsignal indicating a state of vehicle 1 (Propulsion Direction by Driver,Actual_Moving_Direction, Propulsion Direction Status,Estimated_Max_Accel_Capability, Estimated_Max_Decel_Capability,Longitudinal_Velocity, etc., described hereinafter) is sequentiallyoutput from vehicle control interface 110 to ADS 200 in real time. ADS200 can refer to such an API signal to obtain information of vehicle 1to be used in generating a driving plan (S12), which will be describedhereinafter. When the Autonomy_State indicates the manual mode, theprocess of series of steps shown in FIG. 3 ends.

In S12, ADC computer 210 creates a driving plan based on the informationof vehicle 1 obtained in S11. When a driving plan is already present,the driving plan may be corrected based on the information of vehicle 1.For example, ADC computer 210 calculates a behavior of vehicle 1 (e.g.,a pose of vehicle 1) and creates a driving plan suitable for a state ofvehicle 1 and an environment external to vehicle 1. The driving plan isdata indicating a behavior of vehicle 1 for a prescribed period of time.

In S13, ADC computer 210 extracts a physical control quantity(acceleration, a tire turning angle, etc.) from the driving plan createdin S12.

In S14, ADC computer 210 splits the physical quantity extracted in S13by a defined cycle time of each API.

In S15, ADC computer 210 executes the API using the physical quantitysplit in S14. When the API is thus executed, an API command (e.g., aPropulsion Direction Command, an Acceleration Command, and a StandstillCommand, and the like, which will be described hereinafter) forimplementing the physical quantity in accordance with the driving planis transmitted from ADS 200 to vehicle control interface 110. Vehiclecontrol interface 110 transmits a control command corresponding to thereceived API command to VP 120, and VP 120 carries out autonomousdriving control of vehicle 1 in response to the control command.

In the present embodiment, it is assumed that vehicle 1 is autonomouslydriven when vehicle 1 is manned. This is not exclusive, however, andvehicle 1 may be autonomously driven when vehicle 1 is unmanned.

In the manual mode, a shift change of vehicle 1 (i.e., switching a shiftrange) is performed in response to the driver's shift lever operation.In the present embodiment, in the manual mode, the driver can select anyone of a P (parking) range, an N (neutral) range, a D (drive) range, anR (reverse) range, and a B (brake) range, for example. The D range andthe B range correspond to a traveling range. Deceleration is stronger inthe B range than in the D range.

The command sent from ADS 200 to VP 120 through vehicle controlinterface 110 includes a command referred to as a Propulsion DirectionCommand to request to switch a shift range to another. In the autonomousmode, ADS 200 performs a shift change of vehicle 1 by using thePropulsion Direction Command. In the present embodiment, ADS 200 canonly select the D range and the R range in the autonomous mode. That is,in the autonomous mode, vehicle 1 has a shift range which is either theD range or the R range. In the present embodiment, the PropulsionDirection Command is set to any one of No Request, a value (R)requesting a shift to the R range, and a value (D) requesting a shift tothe D range. In the autonomous mode, VP 120 performs a shift change ofvehicle 1 in response to the Propulsion Direction Command.

The API signal includes a signal Propulsion Direction Status indicatingthe current shift range. The Propulsion Direction Status basicallyindicates a value corresponding to the current shift range (one of P, N,D, R, and B in the present embodiment), and indicates “Invalid Value”when the current shift range is unknown.

The API signal includes a signal Propulsion Direction by Driverindicating a shift lever position by a driver. The Propulsion Directionby Driver is output from vehicle control interface 110 to ADS 200 whenthe driver operates the shift lever. The Propulsion Direction by Driverbasically represents a value corresponding to a position of the shiftlever (one of P, N, D, R, and B in the present embodiment). When thedriver releases his/her hand from the shift lever, the shift leverreturns to a central position and the Propulsion Direction by Driverindicates “No Request.”

During the autonomous mode, the driver's shift lever operation is notreflected in the Propulsion Direction Status. Note, however, that ADS200 may determine a value for the Propulsion Direction Command byreferring to the Propulsion Direction by Driver. If necessary, ADS 200confirms the Propulsion Direction by Driver, and requests switching ashift position to another by the Propulsion Direction Command asnecessary.

The API signal includes a signal Longitudinal_Velocity indicating anestimated longitudinal velocity of vehicle 1. Longitudinal_Velocityindicates, for example, a longitudinal velocity of vehicle 1 asestimated by VP 120 using a wheel speed sensor. Longitudinal_Velocityindicates an absolute value of the velocity. That is,Longitudinal_Velocity indicates a positive value both when vehicle 1moves forward and when vehicle 1 moves backward. TheLongitudinal_Velocity according to the present embodiment corresponds toone example of a “first signal” according to the present disclosure.

The API signal includes a signal Actual_Moving_Direction indicating amoving direction of vehicle 1. In the present embodiment,Actual_Moving_Direction is set to any one of Forward, Reverse,Standstill, and Undefined. FIG. 4 is a flowchart of a process performedby vehicle control interface 110 for setting Actual_Moving_Direction.The Actual_Moving_Direction according to the present embodimentcorresponds to an example of a “third signal” according to the presentdisclosure.

Referring to FIG. 4 together with FIG. 2, in S21, vehicle controlinterface 110 determines whether the wheels (i.e., four wheels) ofvehicle 1 all have a speed of 0.

When a determination of YES is made in S21 (that is, the four wheels areall stopped), then, vehicle control interface 110 determines in S22whether a prescribed period of time (for example of 500 msec) haselapsed since the four wheels reached the speed of 0. While adetermination of YES is made in S21 and a determination of NO is made inS22 (that is, the prescribed period of time has not yet elapsed), S21and S22 are repeated. Once a determination of YES is made in S22 (thatis, the prescribed period of time has elapsed), vehicle controlinterface 110 sets the Actual_Moving_Direction to “Standstill” in S25.

When a determination of NO is made in S21 (that is, any of the fourwheels is rotating), vehicle control interface 110 determines in S23whether more than half the wheels rotate forward. When a determinationof YES is made in S23 (that is, when three or more wheels rotateforward), vehicle control interface 110 sets the Actual_Moving_Directionto “Forward” in S26.

When a determination of NO is made in S23 (that is, when two or lesswheels rotate forward), vehicle control interface 110 determines in S24whether more than half the wheels rotate backward. When a determinationof YES is made in S24 (that is, when three or more wheels rotatebackward), vehicle control interface 110 sets theActual_Moving_Direction to “Reverse” in S27. In contrast, when adetermination of NO is made in S24 (that is, when two or less wheelsrotate backward), vehicle control interface 110 sets theActual_Moving_Direction to “Undefined” in S28.

Thus, in vehicle 1 according to the present embodiment, theActual_Moving_Direction indicates Standstill when a prescribed number ofwheels (for example, four wheels) of vehicle 1 continue a speed of 0 fora prescribed period of time. In the present embodiment, the processshown in FIG. 4 is performed by vehicle control interface 110. This isnot exclusive, however, and the process of FIG. 4 may be partially orentirely performed by VP 120. For example, the FIGS. 4 S21 and S22 maybe performed by VP 120, rather than vehicle control interface 110, andvehicle control interface 110 may receive a result of the steps from VP120.

A command sent from ADS 200 to VP 120 through vehicle control interface110 includes an Acceleration Command and a Standstill Command.

The Acceleration Command is a signal requesting acceleration anddeceleration in the autonomous mode. The Acceleration Command indicatesa positive value when acceleration is requested for a directionindicated by the Propulsion Direction Status, and the AccelerationCommand indicates a negative value when deceleration is requested inthat direction. The Acceleration Command requests acceleration (+) anddeceleration (−) for the direction indicated by the Propulsion DirectionStatus. Upper limit values of acceleration and deceleration of theAcceleration Command are determined by estimated maximum accelerationcapability and estimated maximum deceleration capability, respectively,which will be described hereinafter. The Acceleration Command accordingto the present embodiment corresponds to an example of a “first command”according to the present disclosure.

The API signal includes a signal Estimated_Max_Accel_Capabilityindicating an estimated maximum acceleration, and a signalEstimated_Max_Decel_Capability indicating an estimated maximumdeceleration. In the present embodiment, VP 120 calculates anacceleration provided at the time of WOT (Wide Open Throttle), estimatesa value for Estimated_Max_Accel_Capability (that is, a possible maximumacceleration that vehicle 1 is currently requested to provide) based onthe calculated acceleration, the current state of vehicle 1 and thecurrent road surface condition (e.g., gradient and road surface load),and outputs the estimated value to vehicle control interface 110.Estimated_Max_Accel_Capability is such that a direction in which vehicle1 proceeds (that is, a direction indicated by the Propulsion DirectionStatus) is a positive direction and the reverse direction is a negativedirection. Estimated_Max_Decel_Capability has a value varying in a rangeof −9.8 m/s² to 0 m/s². VP 120 estimates a value forEstimated_Max_Decel_Capability (that is, a possible maximum decelerationthat vehicle 1 is currently requested to provide) based on the states ofbrake systems 121A, 121B (e.g., a brake mode), the current state ofvehicle 1, and the current road surface condition. Depending on thestate of vehicle 1 and the road surface condition,Estimated_Max_Decel_Capability may be 0.

The Acceleration Command has a value selected from the range ofEstimated_Max_Decel_Capability to Estimated_Max_Accel_Capability. WhenVP 120 receives a request from both the Acceleration Command and PCSsystem 125 (FIG. 2) for deceleration, VP 120 selects a maximumdeceleration out of the decelerations requested by the AccelerationCommand and PCS system 125. Note that deceleration is represented inmagnitude by an absolute value. That is, deceleration becomes smaller asit approaches 0, and deceleration becomes larger as it is farther awayfrom 0.

The Standstill Command is a signal requesting to maintain stationary inthe autonomous mode. In the present embodiment, the Standstill Commandis set to any one of No Request, Applied (a value requesting to maintainstationary), and Released (a value requesting release from maintainingstationary). The Standstill Command can be set to maintain stationarywhen vehicle 1 is at a standstill (for example when theActual_Moving_Direction is “Standstill”). When the Acceleration Commandindicates an acceleration value (a positive value), the StandstillCommand is not set to “Applied.” Once to maintain stationary (e.g.,brake hold control described hereinafter) is completed, vehicle 1transitions to Standstill. The Standstill Command according to thepresent embodiment corresponds to an example of a “second command”according to the present disclosure.

The API signal includes a signal Standstill Status indicating astandstill status of vehicle 1. The Standstill Status basicallyindicates either Applied (a value indicating that vehicle 1 is at aStandstill) or Released (a value indicating that vehicle 1 is not at aStandstill), and indicates “Invalid Value” when it is unknown whichstandstill status vehicle 1 has. Standstill means a state in whichvehicle 1 is maintained stationary (for example, brake hold). TheStandstill Status according to the present embodiment corresponds to anexample of a “second signal” according to the present disclosure.

In the present embodiment, when ADS 200 issues an Acceleration Commandto request VP 120 to provide deceleration to bring vehicle 1 to astandstill, and the Longitudinal_Velocity indicates 0 km/h, ADS 200issues a Standstill Command to request VP 120 to maintain stationary,and VP 120 carries out brake hold control. After the brake hold controlis finished, the Standstill Status indicates Applied. Until theStandstill Status indicates Applied, the Acceleration Command continuesto request VP 120 to provide deceleration.

FIG. 5 is a flowchart of a process involved in brake hold controlcarried out by vehicle control interface 110 in the autonomous mode. Theprocess shown in this flowchart is repeatedly performed in accordancewith the API period in synchronization with a process of ADS 200 whenvehicle 1 is in the autonomous mode.

Referring to FIG. 5 together with FIG. 2, in S31, vehicle controlinterface 110 determines whether a deceleration request (that is, anAcceleration Command to request deceleration) has been received. When adetermination of YES is made in S31 (that is, a deceleration request hasbeen received), vehicle control interface 110 determines in S32 whethera standstill request (that is, a Standstill Command to request tomaintain stationary) has been received. When a determination of YES ismade in S32 (that is, a standstill request has been received), vehiclecontrol interface 110 determines in S33 whether theActual_Moving_Direction is Standstill.

When a determination of NO is made in S33, the control returns to theinitial step (S31). When the Acceleration Command requests deceleration(YES in S31), vehicle 1 is controlled to be decelerated in response tothe Acceleration Command (see S52 in FIG. 7 described hereinafter). Whenvehicle 1 controlled to be decelerated has its four wheels all reachinga speed of 0, the Actual_Moving_Direction is set to Standstill (see FIG.4), and a determination of YES is made in S33.

When the Acceleration Command requests deceleration (YES in S31), theStandstill Command requests to maintain stationary (YES in S32), and theActual_Moving_Direction indicates Standstill (YES in S33), vehiclecontrol interface 110 instructs VP 120 in S34 to start brake hold (BH)control. In brake systems 121A and 121B of VP 120 (see FIG. 2), thebraking actuator is controlled in accordance with the instruction fromvehicle control interface 110. When controlling the braking actuator iscompleted, brake systems 121A and 121B transmit a BH Completed signalindicating that controlling the braking actuator is completed.

In S35, vehicle control interface 110 determines whether the brake holdcontrol is completed. Vehicle control interface 110 determines whetherthe brake hold control has been completed based on, for example, whetherthe BH Completed signal has been received. In the present embodiment,vehicle control interface 110 having received the BH Completed signalmeans that VP 120 has completed the brake hold control.

While determination of YES is made in all of S31 to S33, brake holdcontrol is carried out in S34, and when the brake hold control iscompleted (YES in S35), then, in step S36, vehicle control interface 110sets the Standstill Status to Applied.

When a determination of NO is made in either S31 or S32, vehicle controlinterface 110 determines in S37 whether a Release Standstill request(that is, a Standstill Command to request release from maintainingstationary) has been received. When a determination of YES is made inS37 (that is, a Release Standstill request has been received), vehiclecontrol interface 110 instructs VP 120 in S38 to release brake hold (BH)of vehicle 1. Thus in brake systems 121A and 121B of VP 120 the brakeactuators are controlled and the brake hold is thus released. When it isalready released, it is held released. Then, vehicle control interface110 sets the Standstill Status to Released in S39. In contrast, when adetermination of NO is made in S37 (that is, no Release Standstillrequest has been received), the control returns to the initial step(S31).

In vehicle 1 according to the present embodiment, when ADS 200 issues anAcceleration Command to request VP 120 to provide deceleration to bringvehicle 1 to a standstill (YES in S31), and thereafter, before brakehold control is completed the request through the Acceleration Commandfor deceleration is cancelled (NO in S31), transitioning to the brakehold control (S34) is canceled. When the request is cancelled before thebrake hold control starts, transitioning to the brake hold control isnot performed. When the request is cancelled while the brake holdcontrol has already been started, the brake hold control currentlycarried out is stopped, and brake systems 121A and 121B return to astate assumed before the brake hold control is carried out.

In vehicle 1 according to the present embodiment, when ADS 200 issues aStandstill Command to request VP 120 to maintain stationary (YES inS32), and thereafter, before brake hold control is completed the requestthrough the Standstill Command to maintain stationary is cancelled (NOin S32), transitioning to the brake hold control (S34) is canceled. Whenthe request is cancelled before the brake hold control starts,transitioning to the brake hold control is not performed. When therequest is cancelled while the brake hold control has already beenstarted, the brake hold control currently carried out is stopped, andbrake systems 121A and 121B return to a state assumed before the brakehold control is carried out.

In the present embodiment, the process shown in FIG. 5 is performed byvehicle control interface 110. This is not exclusive, however, and theprocess of FIG. 5 may partially or entirely be performed by VP 120. Whenthe FIG. 5 process is performed by VP 120, rather than vehicle controlinterface 110, then, in S34 and S38, VP 120 per se controls brakesystems 121A and 121B (i.e., to maintain stationary/release therefrom)without receiving an instruction from vehicle control interface 110.

In the present embodiment, the EPB (electric parking brake) is activatedafter a prescribed period of time has elapsed since the StandstillStatus indicated Applied. FIG. 6 is a flowchart of a process involved inEPB control carried out by vehicle control interface 110 in theautonomous mode. The process shown in this flowchart is repeatedlyperformed in accordance with the API period in synchronization with aprocess of ADS 200 when vehicle 1 is in the autonomous mode.

Referring to FIG. 6 together with FIG. 2, in S41, vehicle controlinterface 110 determines whether the Standstill Status indicatesApplied. When a determination of YES is made in S41 (StandstillStatus=Applied), vehicle control interface 110 determines in S42 whethera prescribed period of time (for example of 3 minutes) has elapsed sincethe Standstill Status indicated Applied. While the Standstill Status ismaintained Applied (YES in S41) and a determination of NO is made inS42, S41 and S42 are repeated, and when a determination of YES is madein S42, the control proceeds to S43. In S43, vehicle control interface110 instructs VP 120 to activate the EPB. Thus, EPB system 123A iscontrolled in VP 120, and the EPB is activated. When the EPB is alreadyactive, the EPB is held active.

When a determination of NO is made in S41 (Standstill Status=Released orInvalid Value), the control proceeds to S44. In S44, vehicle controlinterface 110 instructs VP 120 to release the EPB. Thus, EPB system 123Ais controlled in VP 120, and the EPB is thus released. When the EPB hasalready been released, the EPB is held released.

Thus, in vehicle 1 according to the present embodiment, the EPB(electric parking brake) is engaged after a prescribed period of timehas elapsed since the Standstill Status indicated Applied. In thepresent embodiment, the process shown in FIG. 6 is performed by vehiclecontrol interface 110. This is not exclusive, however, and the processof FIG. 6 may partially or entirely be performed by VP 120. When theFIG. 6 process is performed by VP 120, rather than vehicle controlinterface 110, then, in S43 and S44, VP 120 per se controls (i.e.,activates/deactivates) EPB system 123A without receiving an instructionfrom vehicle control interface 110.

In the present embodiment, vehicle control interface 110 interposedbetween VP 120 and ADS 200 adjusts commands involved in decelerationcontrol, start control, and acceleration control. Various signalscommunicated between VP 120 and ADS 200 are input to and output fromvehicle control interface 110.

FIG. 7 is a flowchart of a procedure of a process performed by vehiclecontrol interface 110 in deceleration control in the autonomous mode.The process shown in this flowchart is started when vehicle 1 is in theautonomous mode and vehicle control interface 110 receives adeceleration request from ADS 200. While vehicle control interface 110receives a deceleration request from ADS 200, this process is repeatedlyperformed in accordance with the API period in synchronization with aprocess of ADS 200.

Referring to FIG. 7 together with FIG. 2, in S51, vehicle controlinterface 110 determines whether a deceleration request (that is, anAcceleration Command to request deceleration) has been received from ADS200. When a determination of YES is made in S51 (that is, a decelerationrequest has been received), in S52 vehicle control interface 110transmits a control command corresponding to the Acceleration Command(an API command) received from ADS 200 (more specifically, a controlcommand to request deceleration) to VP 120 to carry out decelerationcontrol for vehicle 1. In VP 120, brake systems 121A and 121B andpropulsion system 124 (see FIG. 2) are controlled in response to thecontrol command.

After the step of S52, in S53, vehicle control interface 110 uses asignal received from VP 120 to determine whether theLongitudinal_Velocity indicates 0 km/h. When a determination of NO ismade in S53 (that is, Longitudinal_Velocity>0 km/h), the control returnsto the initial step (S51). When ADS 200 issues an Acceleration Commandto request VP 120 to provide deceleration to bring vehicle 1 to astandstill, then, in response to the deceleration request (S51), vehicle1 is subjected to deceleration control (S52) and thus reduced invelocity, and finally, the Longitudinal_Velocity will indicate 0 km/h.

When a determination of YES is made in S53 (that is,Longitudinal_Velocity=0 km/h), then, in S54, vehicle control interface110 requests from ADS 200 a Standstill request (i.e., a StandstillCommand to request to maintain stationary). In response to this request,ADS 200 transmits the Standstill request to VP 120 through vehiclecontrol interface 110.

After the step of S54, vehicle control interface 110 determines in S55whether the Standstill Status indicates Applied. The Standstill Statusis set through the process shown in FIG. 5. After the step of S54 inFIG. 7, when the Actual_Moving_Direction is set to Standstill, brakehold control is carried out (S34 in FIG. 5). When the brake hold controlis completed (YES in S35 in FIG. 5), the Standstill Status is set toApplied (S36 in FIG. 5).

After in response to the request in S54 the Standstill Command is set toApplied before the Standstill Status is set to Applied (that is, while adetermination of NO is made in S55), vehicle control interface 110requests ADS 200 in S56 to set V2 for the value of the AccelerationCommand. V2 is a deceleration value (i.e., a negative value). Inresponse to this request, ADS 200 transmits a constant decelerationvalue (i.e., V2) as a value for the Acceleration Command to VP 120through vehicle control interface 110. In the present embodiment, V2 isset to −0.4 m/s².

When a determination of YES is made in S55 (Standstill Status=Applied),vehicle control interface 110 requests ADS 200 in S57 to set V3 for thevalue of the Acceleration Command. V3 is a deceleration value or 0 m/s².In the present embodiment, V3 is set to 0 m/s². In response to the aboverequest (S57), ADS 200 transmits V3 (e.g., 0 m/s²) as a value for theAcceleration Command to VP 120 through vehicle control interface 110.Until start control described hereinafter (see FIG. 8) is started, ADS200 maintains vehicle 1 at a standstill (Standstill Status=Applied) andmaintains the value of the Acceleration Command at V3. Note that V3 isnot limited to 0 m/s². For example, V3 may be a deceleration valuesmaller than V2 or may be equal to V2.

When the step of S57 is performed, the series of steps of the process ofFIG. 7 ends. The series of steps of the process of FIG. 7 also ends whenthe Acceleration Command no longer requests deceleration (NO in S51).

FIG. 8 is a flowchart of a procedure of a process performed by vehiclecontrol interface 110 in the start control in the autonomous mode. Theprocess shown in this flowchart is started when vehicle 1 is in theautonomous mode and vehicle control interface 110 receives a startrequest from ADS 200. When the Standstill Status indicates “Applied” anda Standstill Command received from ADS 200 changes from “Applied” to“Released” vehicle control interface 110 determines that a start requesthas been received from ADS 200.

Referring to FIG. 8 together with FIG. 2, vehicle control interface 110requests ADS 200 in S61 to set V4 for the value of the AccelerationCommand (more specifically, a deceleration value), and in S62 receivesthe Acceleration Command from ADS 200 and transmits a control commandcorresponding thereto (more specifically, a control command to requestdeceleration) to VP 120 to perform deceleration control for vehicle 1.In VP 120, brake systems 121A and 121B and propulsion system 124 (seeFIG. 2) are controlled in response to the control command. Thus, until adetermination of YES is made in S63 described hereinafter, accelerationof vehicle 1 is suppressed and vehicle 1 is held in a state with avehicular velocity of 0 (Actual_Moving_Direction=Standstill). V4 is aprescribed deceleration value (that is, a negative value). V4 may be adeceleration value smaller than V2 or may be equal to V2.

In S63, vehicle control interface 110 determines whether a prescribedperiod of time (hereinafter referred to as “AT”) has elapsed since thestart request was made. ΔT is for example set to be equal to or longerthan a period of time taken after the Standstill Command is set to“Released” before the Standstill Status is set to “Released.” ΔT may beselected from a range of 1 second to 10 seconds.

ADS 200 maintains the Acceleration Command at value V4 for a period oftime after the start request is made before AT elapses (that is, while adetermination of NO is made in S63). After the start request is madewhen AT elapses (YES in S63), in S64 vehicle control interface 110requests from ADS 200 an Acceleration Command to request acceleration,or an acceleration request, and thereafter the series of steps of theprocess of FIG. 8 ends. In response to the request from vehicle controlinterface 110 (S64), ADS 200 transmits the acceleration request to VP120 through vehicle control interface 110. This allows transitioning toacceleration control described hereinafter.

FIG. 9 is a flowchart of a procedure of a process performed by vehiclecontrol interface 110 in acceleration control in the autonomous mode.The process shown in this flowchart is started when vehicle 1 is in theautonomous mode and vehicle control interface 110 receives anacceleration request from ADS 200. While vehicle control interface 110receives an acceleration request from ADS 200, this process isrepeatedly performed in accordance with the API period insynchronization with a process of ADS 200.

Referring to FIG. 9 together with FIG. 2, in S71, vehicle controlinterface 110 determines whether an acceleration request has beenreceived from ADS 200. When a determination of YES is made in S71 (thatis, an acceleration request has been received), in S72 vehicle controlinterface 110 transmits a control command corresponding to anAcceleration Command received from ADS 200 (more specifically, a controlcommand to request acceleration) to VP 120 to carry out accelerationcontrol for vehicle 1. In propulsion system 124 of VP 120, the drivingdevice is controlled in response to the control command.

While vehicle control interface 110 receives the acceleration requestfrom ADS 200 (that is, while a determination of YES is made in S71),vehicle control interface 110 continues acceleration control for vehicle1 (S72). In contrast, when the Acceleration Command no longer requestsacceleration (NO in S71), the series of steps of the process in FIG. 9ends.

In the present embodiment, the processes shown in FIGS. 7 to 9 areperformed by vehicle control interface 110. This is not exclusive,however, and the processes shown in FIGS. 7 to 9 may partially orentirely be performed by ADS 200. For example, when the process shown inFIG. 7 is performed by ADS 200, rather than vehicle control interface110, ADS 200 per se changes each command's value in the steps of S54,S56 and S57 without receiving a request from vehicle control interface110. Until the Standstill Status indicates Standstill in response to theStandstill Command (S54) (NO in S55), ADS 200 issues the AccelerationCommand to continue to request VP 120 to provide deceleration (S56).

FIG. 10 is timing plots representing an exemplary operation of vehicle 1autonomously driven in the autonomous mode. Referring to FIG. 10, inthis example, the Acceleration Command (indicated by a line L12) is setfrom 0 m/s² to V1 at time t1. V1 is a deceleration value larger than V2(that is, a deceleration value more negative than V2). V1 may beselected, for example, from a range of −6.0 m/s² to −1.0 m/s². When theAcceleration Command (line L12) is set to V1, vehicle 1 is subjected todeceleration control (S52 in FIG. 7). As a result, theLongitudinal_Velocity (indicated by a line L11) approaches 0 km/h.Thereafter, at time t2, the Longitudinal_Velocity (line L11) reaches 0km/h, and in response, the Standstill Command (indicated by a line L13)is set to “Applied” (S54 in FIG. 7) and the Acceleration Command is setto V2 (for example, −0.4 m/s²) (S56 in FIG. 7). Thereafter, at time t3,the Actual_Moving_Direction (indicated by a line L15) is set to“Standstill” and brake hold control is carried out (S34 in FIG. 5). Attime t4 the brake hold control is completed and the Standstill Status(indicated by a line L14) is set to “Applied” (S36 in FIG. 5), and inresponse, the Acceleration Command (line L12) is set to V3 (e.g., 0m/s²) (S57 in FIG. 7). And when a prescribed period of time has elapsed,the EPB is activated (S43 in FIG. 6). The Acceleration Command ismaintained at V2 (that is, a constant deceleration value) after theStandstill Command (line L13) is set to “Applied” before the StandstillStatus (line L14) is set to “Applied” (or for a period from t2 to t4).

For a period from t4 to t5, vehicle 1 maintains a Standstill. The periodfrom t4 to t5 may be a signal waiting period. In vehicle 1 according tothe present embodiment, when the brake hold control is completed and arequest through the Standstill Command to maintain stationary stillcontinues, vehicle 1 continues Standstill (Standstill Status=Applied)while the Standstill Command requests to maintain stationary (StandstillCommand=Applied).

At time t5, the Standstill Command (line L13) is set from “Applied” to“Released,” and in response, the Acceleration Command (line L12) is setto V4 (S61 in FIG. 8). Furthermore, as the Standstill Command (line L13)is set to “Released,” at time t6 vehicle 1 is released from the brakehold (S38 in FIG. 5), the Standstill Status (line L14) is set to“Released” (S39 in FIG. 5), and the EPB is released (S44 in FIG. 6).Thereafter, at time t7, the Acceleration Command (line L12) is set to V5(S64 in FIG. 8). V5 is an acceleration value (i.e., a positive value).For a period of t5 to t7, the Acceleration Command is maintained at V4.The period of t5 to t7 corresponds to the aforementioned ΔT.

In vehicle 1 according to the present embodiment, when ADS 200 cancels aStandstill Command to cancel a Maintain Stationary request (StandstillCommand=Released) in order to start vehicle 1, brake hold applied tovehicle 1 is released and VP 120 controls acceleration and decelerationof vehicle 1 based on an Acceleration Command.

During a period of t7 to t8, vehicle 1 is subjected to accelerationcontrol (S72 in FIG. 9). As a result, the Longitudinal_Velocity (lineL11) increases. At time t8, the Longitudinal_Velocity (line L11) reachesa target value, and in response, the Acceleration Command is set to 0m/s², and the acceleration control (FIG. 9) ends.

Thus, vehicle 1 according to the present embodiment comprises ADS 200and VP 120 that controls vehicle 1 in response to a command receivedfrom ADS 200. When ADS 200 issues an Acceleration Command to requestvehicle control interface 110 to provide deceleration to stop vehicle 1and the Longitudinal_Velocity indicates 0 km/h, ADS 200 issues aStandstill Command to request VP 120 to maintain stationary. When thebrake hold control is finished, the Standstill Status indicates Applied.Until the Standstill Status indicates Applied, the Acceleration Commandcontinues to request VP 120 to provide deceleration.

According to the above configuration, after vehicle 1 is stopped,acceleration of vehicle 1 is suppressed in response to a request throughthe Acceleration Command for deceleration. Thus, when VP 120 carries outautonomous driving control in response to a command issued from ADS 200,vehicle 1 can be appropriately maintained stationary (that is, brakehold control can be carried out appropriately).

Vehicle control interface 110 according to the present embodiment isprovided between ADS 200 and VP 120 that controls vehicle 1 in responseto a command received from ADS 200. When ADS 200 issues an AccelerationCommand to request VP 120 to provide deceleration to stop vehicle 1 andthe Longitudinal_Velocity indicates 0 km/h, vehicle control interface110 requests from ADS 200 a Standstill request (i.e., a StandstillCommand to request to maintain stationary) (S54 in FIG. 7). Vehiclecontrol interface 110 requests ADS 200 to continuously transmit adeceleration request (that is, an Acceleration Command to requestdeceleration) until the Standstill Status indicates Applied (S56 in FIG.7). Such vehicle control interface 110 allows acceleration of vehicle 1to be suppressed in response to a request through an AccelerationCommand for deceleration even after the vehicle is stopped (that is,even after the Longitudinal_Velocity indicates 0 km/h). Thus, when VP120 carries out autonomous driving control in response to a commandissued from ADS 200, vehicle 1 can be appropriately maintainedstationary (that is, brake hold control can be carried outappropriately).

In the above embodiment, the Acceleration Command changes stepwise from0 m/s² to V1, from V1 to V2, and from V2 to 0 m/s² (see FIG. 10). Thisis not exclusive, however, and the Acceleration Command may changesmoothly (e.g., in a curve).

In the above embodiment, in S53 of FIG. 7, whether theLongitudinal_Velocity indicates 0 km/h is determined. This is notexclusive, however, and in S53 of FIG. 7, whether theLongitudinal_Velocity indicates a prescribed velocity or less may bedetermined. The prescribed velocity may be a value which is small to anextent allowing vehicle 1 to be regarded as being stationary (e.g.,approximately 0.1 km/h).

Vehicle control interface 110 may be attached to vehicular body 10replaceably. Vehicle control interface 110 may be mounted in ADK 20rather than vehicular body 10. Vehicle control interface 110 may bedispensed with by providing the above described function of vehiclecontrol interface 110 to at least one of VP 120 and ADS 200.

Various processes of the vehicle platform, the autonomous drivingsystem, and the vehicle control interface are not limited to executionby software, and may instead be performed by dedicated hardware (orelectronic circuitry).

Example 1

Toyota's MaaS Vehicle Platform

API Specification

for ADS Developers

[Standard Edition #0.1]

History of Revision

TABLE 1 Date of Revision ver. Summary of Revision Reviser 2019 May 4 0.1Creating a new material MaaS Business Div.

Index

1. Outline 4 1.1. Purpose of this Specification 4 1.2. Target Vehicle 41.3. Definition of Term 4 1.4. Precaution for Handling 4 2. Structure 52.1. Overall Structure of MaaS 5 2.2. System structure of MaaS vehicle 63. Application Interfaces 7 3.1. Responsibility sharing of when usingAPIs 7 3.2. Typical usage of APIs 7 3.3. APIs for vehicle motion control9 3.3.1. Functions 9 3.3.2. Inputs 16 3.3.3. Outputs 23 3.4. APIs forBODY control 45 3.4.1. Functions 45 3.4.2. Inputs 45 3.4.3. Outputs 563.5. APIs for Power control 68 3.5.1. Functions 68 3.5.2. Inputs 683.5.3. Outputs 69 3.6. APIs for Safety 70 3.6.1. Functions 70 3.6.2.Inputs 70 3.6.3. Outputs 70 3.7. APIs for Security 74 3.7.1. Functions74 3.7.2. Inputs 74 3.7.3. Outputs 76 3.8. APIs for MaaS Service 803.8.1. Functions 80 3.8.2. Inputs 80 3.8.3. Outputs 80

1. Outline

1.1. Purpose of this Specification

This document is an API specification of Toyota Vehicle Platform andcontains the outline, the usage and the caveats of the applicationinterface.

1.2. Target Vehicle

e-Palette, MaaS vehicle based on the POV (Privately Owned Vehicle)manufactured by Toyota

1.3. Definition of Term

TABLE 2 Term Definition ADS Autonomous Driving System. ADK AutonomousDriving Kit VP Vehicle Platform. VCIB Vehicle Control Interface Box.This is an ECU for the interface and the signal converter between ADSand Toyota VP's sub systems.

1.4. Precaution for Handling

This is an early draft of the document.

All the contents are subject to change. Such changes are notified to theusers. Please note that some parts are still T.B.D. will be updated inthe future.

2. Structure

2.1. Overall Structure of MaaS

The overall structure of MaaS with the target vehicle is shown (FIG.11).

Vehicle control technology is being used as an interface for technologyproviders.

Technology providers can receive open API such as vehicle state andvehicle control, necessary for development of automated driving systems.

2.2. System Structure of MaaS Vehicle

The system architecture as a premise is shown (FIG. 12).

The target vehicle will adopt the physical architecture of using CAN forthe bus between ADS and VCIB. In order to realize each API in thisdocument, the CAN frames and the bit assignments are shown in the formof “bit assignment table” as a separate document.

3. Application Interfaces

3.1. Responsibility Sharing of when Using APIs

Basic responsibility sharing between ADS and vehicle VP is as followswhen using APIs.

[ADS]

The ADS should create the driving plan, and should indicate vehiclecontrol values to the VP.

[VP]

The Toyota VP should control each system of the VP based on indicationsfrom an ADS.

3.2. Typical Usage of APIs

In this section, typical usage of APIs is described.

CAN will be adopted as a communication line between ADS and VP.Therefore, basically, APIs should be executed every defined cycle timeof each API by ADS.

A typical workflow of ADS of when executing APIs is as follows (FIG.13).

3.3. APIs for Vehicle Motion Control

In this section, the APIs for vehicle motion control which iscontrollable in the MaaS vehicle is described.

3.3.1. Functions

3.3.1.1. Standstill, Start Sequence

The transition to the standstill (immobility) mode and the vehicle startsequence are described. This function presupposes the vehicle is inAutonomy_State=Autonomous Mode. The request is rejected in other modes.

The below diagram shows an example.

Acceleration Command requests deceleration and stops the vehicle. Then,when Longitudinal_Velocity is confirmed as 0 [km/h], StandstillCommand=“Applied” is sent. After the brake hold control is finished,Standstill Status becomes “Applied”. Until then, Acceleration Commandhas to continue deceleration request. Either StandstillCommand=“Applied” or Acceleration Command's deceleration request werecanceled, the transition to the brake hold control will not happen.After that, the vehicle continues to be standstill as far as StandstillCommand=“Applied” is being sent. Acceleration Command can be set to 0(zero) during this period.

If the vehicle needs to start, the brake hold control is cancelled bysetting Standstill Command to “Released”. At the same time,acceleration/deceleration is controlled based on Acceleration Command(FIG. 14).

EPB is engaged when Standstill Status=“Applied” continues for 3 minutes.

3.3.1.2. Direction Request Sequence

The shift change sequence is described. This function presupposes thatAutonomy_State=Autonomous Mode. Otherwise, the request is rejected.

Shift change happens only during Actual_Moving_Direction=“standstill”).Otherwise, the request is rejected.

In the following diagram shows an example. Acceleration Command requestsdeceleration and makes the vehicle stop. After Actual_Moving_Directionis set to “standstill”, any shift position can be requested byPropulsion Direction Command. (In the example below, “D”→“R”).

During shift change, Acceleration Command has to request deceleration.

After the shift change, acceleration/deceleration is controlled based onAcceleration Command value (FIG. 15).

3.3.1.3. WheelLock Sequence

The engagement and release of wheel lock is described. This functionpresupposes Autonomy_State=Autonomous Mode, otherwise the request isrejected.

This function is conductible only during vehicle is stopped.Acceleration Command requests deceleration and makes the vehicle stop.After Actual_Moving_Direction is set to “standstill”, WheelLock isengaged by Immobilization Command=“Applied”. Acceleration Command is setto Deceleration until Immobilization Status is set to “Applied”.

If release is desired, Immobilization Command=“Release” is requestedwhen the vehicle is stationary. Acceleration Command is set toDeceleration at that time.

After this, the vehicle is accelerated/decelerated based on AccelerationCommand value (FIG. 16).

3.3.1.4. Road_Wheel_Angle Request

This function presupposes Autonomy_State=“Autonomous Mode”, and therequest is rejected otherwise.

Tire Turning Angle Command is the relative value fromEstimated_Road_Wheel_Angle_Actual.

For example, in case that Estimated_Road_Wheel_Angle_Actual=0.1 [rad]while the vehicle is going straight;

If ADS requests to go straight ahead, Tire Turning Angle Command shouldbe set to 0+0.1=0.1 [rad].

If ADS requests to steer by −0.3 [rad], Tire Turning Angle Commandshould be set to −0.3+0.1=−0.2 [rad].

3.3.1.5. Rider Operation

3.3.1.5.1. Acceleration Pedal Operation

While in Autonomous driving mode, accelerator pedal stroke is eliminatedfrom the vehicle acceleration demand selection.

3.3.1.5.2. Brake Pedal Operation

The action when the brake pedal is operated. In the autonomy mode,target vehicle deceleration is the sum of 1) estimated deceleration fromthe brake pedal stroke and 2) deceleration request from AD system.

3.3.1.5.3. Shift_Lever_Operation

In Autonomous driving mode, driver operation of the shift lever is notreflected in Propulsion Direction Status.

If necessary, ADS confirms Propulsion Direction by Driver and changesshift position by using Propulsion Direction Command.

3.3.1.5.4. Steering Operation

When the driver (rider) operates the steering, the maximum is selectedfrom

1) the torque value estimated from driver operation angle, and

2) the torque value calculated from requested wheel angle.

Note that Tire Turning Angle Command is not accepted if the driverstrongly turns the steering wheel. The above-mentioned is determined bySteering_Wheel_Intervention flag.

3.3.2. Inputs

TABLE 3 Signal Name Description Redundancy Propulsion Direction Requestto switch between forward (D N/A Command range) and back (R range)Immobilization Command Request to engage/release WheelLock AppliedStandstill Command Request to maintain stationary Applied AccelerationCommand Request to accelerate/decelerate Applied Tire Turning AngleCommand Request front wheel angle Applied Autonomization Command Requestto transition between manual Applied mode and autonomy mode

3.3.2.1. Propulsion Direction Command

Request to switch between forward (D range) and back (R range)

Values

TABLE 4 value Description Remarks 0 No Request 2 R Shift to R range 4 DShift to D range other Reserved

Remarks

-   -   Only available when Autonomy_State=“Autonomous Mode”    -   D/R is changeable only the vehicle is stationary        (Actual_Moving_Direction=“standstill”).    -   The request while driving (moving) is rejected.    -   When system requests D/R shifting, Acceleration Command is sent        deceleration (−0.4 m/s²) simultaneously. (Only while brake is        applied.)    -   The request may not be accepted in following cases.    -   Direction_Control_Degradation_Modes=“Failure detected”

3.3.2.2. Immobilization Command

Request to engage/release WheelLock

Values

TABLE 5 value Description Remarks 0 No Request 1 Applied EPB is turnedon and TM shifts to P range 2 Released EPB is turned off and TM shiftsto the value of Propulsion Direction Command

Remarks

-   -   Available only when Autonomy_State=“Autonomous Mode”    -   Changeable only when the vehicle is stationary        (Actual_Moving_Direction=“standstill”)    -   The request is rejected when vehicle is running.    -   When Apply/Release mode change is requested, Acceleration        Command is set to deceleration (−0.4 m/s²). (Only while brake is        applied.)

3.3.2.3. Standstill Command

Request the vehicle to be stationary

Values

TABLE 6 value Description Remarks 0 No Request 1 Applied Standstill isrequested 2 Released

Remarks

-   -   Only available when Autonomy_State=“Autonomous Mode”    -   Confirmed by Standstill Status=“Applied”    -   When the vehicle is stationary        (Actual_Moving_Direction=“standstill”), transition to Stand        Still is enabled.    -   Acceleration Command has to be continued until Standstill Status        becomes “Applied” and Acceleration Command's deceleration        request (−0.4 m/s²) should be continued.    -   There are more cases where the request is not accepted. Details        are T.B.D.

3.3.2.4. Acceleration Command

Command vehicle acceleration

Values

Estimated_Max_Decel_Capability to Estimated_Max_Accel_Capability [m/s²]

Remarks

-   -   Only available when Autonomy_State=“Autonomous Mode”    -   Acceleration (+) and deceleration (−) request based on        Propulsion Direction Status direction    -   The upper/lower limit will vary based on        Estimated_Max_Decel_Capability and        Estimated_Max_Accel_Capability.    -   When acceleration more than Estimated_Max_Accel_Capability is        requested, the request is set to Estimated_Max_Accel_Capability.    -   When deceleration more than Estimated_Max_Decel_Capability is        requested, the request is set to Estimated_Max_Decel_Capability.    -   Depending on the accel/brake pedal stroke, the requested        acceleration may not be met. See 3.4.1.4 for more detail.    -   When Pre-Collision system is activated simultaneously, minimum        acceleration (maximum deceleration) is selected.

3.3.2.5. Tire Turning Angle Command

Command tire turning angle

Values

TABLE 7 value Description Remarks — [unit: rad]

Remarks

-   -   Left is positive value (+). Right is negative value (−).    -   Available only when Autonomy_State=“Autonomous Mode”    -   The output of Estimated_Road_Wheel_Angle_Actual when the vehicle        is going straight, is set to the reference value (0).    -   This requests relative value of        Estimated_Road_Wheel_Angle_Actual. (See 3.4.1.1 for details)    -   The requested value is within        Current_Road_Wheel_Angle_Rate_Limit.    -   The requested value may not be fulfilled depending on the steer        angle by the driver.

3.3.2.6. Autonomization Command

Request to transition between manual mode and autonomy mode

Values

TABLE 8 value Description Remarks 00b No Request For Autonomy 01bRequest For Autonomy 10b Deactivation Request means transition requestto manual mode

-   -   The mode may be able not to be transitioned to Autonomy mode.        (e.g. In case that a failure occurs in the vehicle platform.)

3.3.3. Outputs

TABLE 9 Signal Name Description Redundancy Propulsion Direction StatusCurrent shift range N/A Propulsion Direction by Driver Shift leverposition by driver N/A Immobilization Status Output of EPB and Shift PApplied Immobilization Request by Driver EPB switch status by driver N/AStandstill Status Stand still status N/A Estimated_Coasting_RateEstimated vehicle deceleration when throttle is closed N/AEstimated_Max_Accel_Capability Estimated maximum acceleration AppliedEstimated_Max_Decel_Capability Estimated maximum deceleration AppliedEstimated_Road_Wheel_Angle_Actual Front wheel steer angle AppliedEstimated_Road_Wheel_Angle_Rate_Actual Front wheel steer angle rateApplied Steering_Wheel_Angle_Actual Steering wheel angle N/ASteering_Wheel_Angle_Rate_Actual Steering wheel angle rate N/ACurrent_Road_Wheel_Angle_Rate_Limit Road wheel angle rate limit AppliedEstimated_Max_Lateral_Acceleration_Capability Estimated max lateralacceleration Applied Estimated_Max_Lateral_Acceleration_Rate_CapabilityEstimated max lateral acceleration rate AppliedAccelerator_Pedal_Position Position of the accelerator pedal (How muchis the N/A pedal depressed?) Accelerator_Pedal_Intervention This signalshows whether the accelerator pedal is N/A depressed by a driver(intervention) Brake_Pedal_Position Position of the brake pedal (Howmuch is the pedal T.B.D. depressed?) Brake_Pedal_Intervention Thissignal shows whether the brake pedal is T.B.D. depressed by a driver(intervention) Steering_Wheel_Intervention This signal shows whether thesteering wheel is T.B.D. turned by a driver (intervention)Shift_Lever_Intervention This signal shows whether the shift lever iscontrolled T.B.D. by a driver (intervention) WheelSpeed_FL wheel speedvalue (Front Left Wheel) N/A WheelSpeed_FL_Rotation Rotation directionof wheel (Front Left) N/A WheelSpeed_FR wheel speed value (Front RightWheel) N/A WheelSpeed_FR_Rotation Rotation direction of wheel (FrontRight) N/A WheelSpeed_RL wheel speed value (Rear Left Wheel) AppliedWheelSpeed_RL_Rotation Rotation direction of wheel (Rear Left) AppliedWheelSpeed_RR wheel speed value (Rear Right Wheel) AppliedWheelSpeed_RR_Rotation Rotation direction of wheel (Rear Right) AppliedActual_Moving_Direction Moving direction of vehicle AppliedLongitudinal_Velocity Estimated longitudinal velocity of vehicle AppliedLongitudinal_Acceleration Estimated longitudinal acceleration of vehicleApplied Lateral_Acceleration Sensor value of lateral acceleration ofvehicle Applied Yawrate Sensor value of Yaw rate Applied Autonomy_StateState of whether autonomy mode or manual mode Applied Autonomy_ReadySituation of whether the vehicle can transition to Applied autonomy modeor not Autonomy_Fault Status of whether the fault regarding afunctionality in Applied autonomy mode occurs or not

3.3.3.1. Propulsion Direction Status

Current Shift Range

Values

TABLE 10 value Description remarks 0 Reserved 1 P 2 R 3 N 4 D 5 B 6Reserved 7 Invalid value

Remarks

-   -   When the shift range is indeterminate, this output is set to        “Invalid Value”.    -   When the vehicle becomes the following status during VO mode,        [Propulsion Direction Status] will turn to “P”.        -   [Longitudinal_Velocity]=0 [km/h]        -   [Brake_Pedal_Position]<Threshold value (T.B.D.) (in case of            being determined that the pedal isn't depressed)        -   [1st_Left_Seat_Belt_Status]=Unbuckled        -   [1st_Left_Door_Open_Status]=Opened

3.3.3.2. Propulsion Direction by Driver

Shift Lever Position by Driver Operation

Values

TABLE 11 value Description remarks 0 No Request 1 P 2 R 3 N 4 D 5 B 6Reserved 7 Invalid value

Remarks

-   -   Output based on the lever position operated by driver    -   If the driver releases his hand of the shift lever, the lever        returns to the central position and the output is set as “No        Request”.    -   When the vehicle becomes the following status during NVO mode,        [Propulsion Direction by Driver] will turn to “1(P)”.        -   [Longitudinal_Velocity]=0 [km/h]        -   [Brake_Pedal_Position]<Threshold value (T.B.D.) (in case of            being determined that the pedal isn't depressed)        -   [1st_Left_Seat_Belt_Status]=Unbuckled        -   [1st_Left_Door_Open_Status]=Opened

3.3.3.3. Immobilization Status

Output EPB and Shift-P status

Values

<Primary>

TABLE 12 Value Shift EPB Description Remarks 0 0 Shift set to other thanP, and EPB Released 1 0 Shift set to P and EPB Released 0 1 Shift set toother than P, and EPB applied 1 1 Shift set to P and EPB Applied

<Secondary>

TABLE 13 Value Shift Description Remarks 0 0 Other than Shift P 1 0Shift P 0 1 Reserved 1 1 Reserved

Remarks

-   -   Secondary signal does not include EPB lock status.

3.3.3.4. Immobilization Request by Driver

Driver operation of EPB switch

Values

TABLE 14 value Description remarks 0 No Request 1 Engaged 2 Released 3Invalid value

Remarks

-   -   “Engaged” is outputted while the EPB switch is being pressed.    -   “Released” is outputted while the EPB switch is being pulled.

3.3.3.5. Standstill Status

Vehicle stationary status

Values

TABLE 15 Value Description remarks 0 Released 1 Applied 2 Reserved 3Invalid value

Remarks

-   -   When Standstill Status=Applied continues for 3 minutes, EPB is        activated.    -   If the vehicle is desired to start, ADS requests Standstill        Command=“Released”.

3.3.3.6. Estimated_Coasting_Rate

Estimated vehicle deceleration when throttle is closed

Values

[unit: m/s²]

Remarks

-   -   Estimated acceleration at WOT is calculated.    -   Slope and road load etc. are taken into estimation.    -   When the Propulsion Direction Status is “D”, the acceleration to        the forward direction shows a positive value.    -   When the Propulsion Direction Status is “R”, the acceleration to        the reverse direction shows a positive value.

3.3.3.7. Estimated_Max_Accel_Capability

Estimated Maximum Acceleration

Values

[unit: m/s²]

Remarks

-   -   The acceleration at WOT is calculated.    -   Slope and road load etc. are taken into estimation.    -   The direction decided by the shift position is considered to be        plus.

3.3.3.8. Estimated_Max_Decel_Capability

Estimated maximum deceleration

Values

-   -   −9.8 to 0 [unit: m/s²]

Remarks

-   -   Affected by Brake_System_Degradation_Modes. Details are T.B.D.    -   Based on vehicle state or road condition, cannot output in some        cases

3.3.3.9. Estimated_Road_Wheel_Angle_Actual

Front wheel steer angle

Values

TABLE 16 value Description Remarks others [unit: rad] Minimum ValueInvalid value The sensor is invalid.

Remarks

-   -   Left is positive value (+). Right is negative value (−).    -   Before “the wheel angle when the vehicle is going straight”        becomes available, this signal is Invalid value.

3.3.3.10. Estimated_Road_Wheel_Angle_Rate_Actual

Front wheel steer angle rate

Values

TABLE 17 value Description Remarks others [unit: rad/s] Minimum ValueInvalid value

Remarks

-   -   Left is positive value (+). Right is negative value (−).

3.3.3.11. Steering_Wheel_Angle_Actual

Steering wheel angle

Values

TABLE 18 Value Description Remarks others [unit: rad] Minimum ValueInvalid value

Remarks

-   -   Left is positive value (+). Right is negative value (−).    -   The steering angle converted from the steering assist motor        angle    -   Before “the wheel angle when the vehicle is going straight”        becomes available, this signal is Invalid value.

3.3.3.12. Steering_Wheel_Angle_Rate_Actual

Steering Wheel Angle Rate

Values

TABLE 19 Value Description Remarks others [unit: rad/s] Minimum ValueInvalid value

Remarks

-   -   Left is positive value (+). Right is negative value (−).    -   The steering angle rate converted from the steering assist motor        angle rate

3.3.3.13. Current_Road_Wheel_Angle_Rate_Limit

Road wheel angle rate limit

Values

-   -   When stopped: 0.4 [rad/s]    -   While running: Show “Remarks”

Remarks

Calculated from the “vehicle speed−steering angle rate” chart like below

A) At a very low speed or stopped situation, use fixed value of 0.4[rad/s]

B) At a higher speed, the steering angle rate is calculated from thevehicle speed using 2.94 m/s³

The threshold speed between A and B is 10 [km/h] (FIG. 17).

3.3.3.14. Estimated_Max_Lateral_Acceleration_Capability

Estimated max lateral acceleration

Values

2.94 [unit: m/s²] fixed value

Remarks

-   -   Wheel Angle controller is designed within the acceleration range        up to 2.94 m/s².

3.3.3.15. Estimated_Max_Lateral_Acceleration_Rate_Capability

Estimated max lateral acceleration rate

Values

2.94 [unit: m/s³] fixed value

Remarks

-   -   Wheel Angle controller is designed within the acceleration range        up to 2.94 m/s³.

3.3.3.16. Accelerator Pedal Position

Position of the accelerator pedal (How much is the pedal depressed?)

Values

0 to 100 [unit: %]

Remarks

-   -   In order not to change the acceleration openness suddenly, this        signal is filtered by smoothing process.    -   In normal condition        -   The accelerator position signal after zero point calibration            is transmitted.    -   In failure condition        -   Transmitted failsafe value (0×FF)

3.3.3.17. Accelerator_Pedal_Intervention

This signal shows whether the accelerator pedal is depressed by a driver(intervention).

Values

TABLE 20 Value Description Remarks 0 Not depressed 1 depressed 2 Beyondautonomy acceleration

Remarks

-   -   When Accelerator_Pedal_Position is higher than the defined        threshold value (ACCL_INTV), this signal        [Accelerator_Pedal_Intervention] will turn to “depressed”.

When the requested acceleration from depressed acceleration pedal ishigher than the requested acceleration from system (ADS, PCS etc.), thissignal will turn to “Beyond autonomy acceleration”.

-   -   During NVO mode, accelerator request will be rejected.        Therefore, this signal will not turn to “2”.

Detail design (FIG. 18)

3.3.3.18. Brake_Pedal_Position

Position of the brake pedal (How much is the pedal depressed?)

Values

0 to 100 [unit: %]

Remarks

-   -   In the brake pedal position sensor failure:        -   Transmitted failsafe value (0×FF)    -   Due to assembling error, this value might be beyond 100%.

3.3.3.19. Brake Pedal Intervention

This signal shows whether the brake pedal is depressed by a driver(intervention).

Values

TABLE 21 Value Description Remarks 0 Not depressed 1 depressed 2 Beyondautonomy deceleration

Remarks

-   -   When Brake_Pedal_Position is higher than the defined threshold        value (BRK_INTV), this signal [Brake Pedal Intervention] will        turn to “depressed”.    -   When the requested deceleration from depressed brake pedal is        higher than the requested deceleration from system (ADS, PCS        etc.), this signal will turn to “Beyond autonomy deceleration”.

Detail design (FIG. 19)

3.3.3.20. Steering_Wheel_Intervention

This signal shows whether the steering wheel is turned by a driver(intervention).

Values

TABLE 22 Value Description Remarks 0 Not turned 1 Turned collaborativelyDriver steering torque + steering motor torque 2 Turned by human driver

Remarks

-   -   In “Steering_Wheel_Intervention=1”, considering the human        driver's intent, EPS system will drive the steering with the        Human driver collaboratively.    -   In “Steering_Wheel_Intervention=2”, considering the human        driver's intent, EPS system will reject the steering requirement        from autonomous driving kit. (The steering will be driven the        human driver.)

3.3.3.21. Shift Lever Intervention

This signal shows whether the shift lever is controlled by a driver(intervention).

Values

TABLE 23 Value Description Remarks 0 OFF 1 ON Controlled (moved to anyshift position)

Remarks

-   -   N/A

3.3.3.22. WheelSpeed_FL, WheelSpeed_FR, WheelSpeed_RL, WheelSpeed_RR

Wheel Speed Value

Values

TABLE 24 Value Description Remarks others Velocity [unit: m/s] MaximumValue Invalid value The sensor is invalid.

Remarks

-   -   T.B.D.

3.3.3.23. WheelSpeed_FL_Rotation, WheelSpeed_FR_Rotation,WheelSpeed_RL_Rotation, WheelSpeed_RR_Rotation

Rotation direction of each wheel

Values

TABLE 25 value Description remarks 0 Forward 1 Reverse 2 Reserved 3Invalid value The sensor is invalid.

Remarks

-   -   After activation of ECU, until the rotation direction is fixed,        “Forward” is set to this signal.    -   When detected continuously 2 (two) pulses with the same        direction, the rotation direction will be fixed.

3.3.3.24. Actual_Moving_Direction

Rotation direction of wheel

Values

TABLE 26 value Description remarks 0 Forward 1 Reverse 2 Standstill 3Undefined

Remarks

-   -   This signal shows “Standstill” when four wheel speed values are        “0” during a constant time.    -   When other than above, this signal will be determined by the        majority rule of four WheelSpeed_Rotations.    -   When more than two WheelSpeed_Rotations are “Reverse”, this        signal shows “Reverse”.    -   When more than two WheelSpeed_Rotations are “Forward”, this        signal shows “Forward”.    -   When “Forward” and “Reverse” are the same counts, this signal        shows “Undefined”.

3.3.3.25. Longitudinal_Velocity

Estimated Longitudinal Velocity of Vehicle

Values

TABLE 27 Value Description Remarks others Velocity [unit: m/s] MaximumValue Invalid value The sensor is invalid.

Remarks

-   -   This signal is output as the absolute value.

3.3.3.26. Longitudinal_Acceleration

Estimated longitudinal acceleration of vehicle

Values

TABLE 28 value Description Remarks others Acceleration [unit: m/s²]Minimum Value Invalid value The sensor is invalid.

Remarks

-   -   This signal will be calculated with wheel speed sensor and        acceleration sensor.    -   When the vehicle is driven at a constant velocity on the flat        road, this signal shows “0”.

3.3.3.27. Lateral_Acceleration

Sensor Value of Lateral Acceleration of Vehicle

Values

TABLE 29 Value Description Remarks others Acceleration [unit: m/s²]Minimum Value Invalid value The sensor is invalid.

Remarks

-   -   The positive value means counterclockwise. The negative value        means clockwise.

3.3.3.28. Yawrate

Sensor Value of Yaw Rate

Values

TABLE 30 Value Description Remarks others Yaw rate [unit: deg/s] MinimumValue Invalid value The sensor is invalid.

Remarks

-   -   The positive value means counterclockwise. The negative value        means clockwise.

3.3.3.29. Autonomy_State

State of whether autonomy mode or manual mode

Values

TABLE 31 value Description Remarks 00 Manual Mode The mode starts fromManual mode. 01 Autonomous Mode

Remarks

-   -   The initial state is the Manual mode. (When Ready ON, the        vehicle will start from the Manual mode.)

3.3.3.30. Autonomy_Ready

Situation of whether the vehicle can transition to autonomy mode or not

Values

TABLE 32 value Description Remarks 00b Not Ready For Autonomy 01b ReadyFor Autonomy 11b Invalid means the status is not determined.

Remarks

-   -   This signal is a part of transition conditions toward the        Autonomy mode.

Please see the summary of conditions.

3.3.3.31. Autonomy_Fault

Status of whether the fault regarding a functionality in autonomy modeoccurs or not

Values

TABLE 33 value Description Remarks 00b No fault 01b Fault 11b Invalidmeans the status is not determined.

Remarks

-   -   [T.B.D.] Please see the other material regarding the fault codes        of a functionality in autonomy mode.    -   [T.B.D.] Need to consider the condition to release the status of        “fault”.

3.4. APIs for BODY control

3.4.1. Functions

T.B.D.

3.4.2. Inputs

TABLE 34 Signal Name Description Redundancy Turnsignallight_Mode_CommandCommand to control the turnsignallight N/A mode of the vehicle platformHeadlight_Mode_Command Command to control the headlight mode of N/A thevehicle platform Hazardlight_Mode_Command Command to control thehazardlight mode N/A of the vehicle platform Horn_Pattern_CommandCommand to control the pattern of horn N/A ON-time and OFF-time percycle of the vehicle platform Horn_Number_of_Cycle_Command Command tocontrol the Number of horn N/A ON/OFF cycle of the vehicle platformHorn_Continuous_Command Command to control of horn ON of the N/A vehicleplatform Windshieldwiper_Mode_Front_Command Command to control the frontwindshield N/A wiper of the vehicle platformWindshieldwiper_Intermittent_Wiping_Speed_Command Command to control theWindshield wiper N/A actuation interval at the Intermittent modeWindshieldwiper_Mode_Rear_Command Command to control the rear windshieldN/A wiper mode of the vehicle platform Hvac_1st_Command Command tostart/stop 1st row air N/A conditioning control Hvac_2nd_Command Commandto start/stop 2nd row air N/A conditioning controlHvac_TargetTemperature_1st_Left_Command Command to set the targettemperature N/A around front left areaHvac_TargetTemperature_1st_Right_Command Command to set the targettemperature N/A around front right areaHvac_TargetTemperature_2nd_Left_Command Command to set the targettemperature N/A around rear left areaHvac_TargetTemperature_2nd_Right_Command Command to set the targettemperature N/A around rear right area Hvac_Fan_Level_1st_Row_CommandCommand to set the fan level on the front N/A ACHvac_Fan_Level_2nd_Row_Command Command to set the fan level on the rearN/A AC Hvac_1st_Row_AirOutlet_Mode_Command Command to set the mode of1st row air N/A outlet Hvac_2nd_Row_AirOutlet_Mode_Command Command toset the mode of 2nd row air N/A outlet Hvac_Recirculate_Command Commandto set the air recirculation mode N/A Hvac_AC_Command Command to set theAC mode N/A

3.4.2.1. Turnsignallight_Mode_Command

Command to control the turnsignallight mode of the vehicle platform

Values

TABLE 35 value Description remarks 0 OFF Blinker OFF 1 Right Rightblinker ON 2 Left Left blinker ON 3 reserved

Remarks

T.B.D.

Detailed Design

When Turnsignallight_Mode_Command=1, vehicle platform sends left blinkeron request.

When Turnsignallight_Mode_Command=2, vehicle platform sends rightblinker on request.

3.4.2.2. Headlight_Mode_Command

Command to control the headlight mode of the vehicle platform

Values

TABLE 36 Value Description remarks 0 No Request Keep current mode 1 TAILmode request side lamp mode 2 HEAD mode request Lo mode 3 AUTO moderequest 4 HI mode request 5 OFF Mode Request 6-7 reserved

Remarks

-   -   This command is valid when Headlight_Driver_Input=OFF or Auto        mode ON.    -   Driver input overrides this command.    -   Headlight mode changes when Vehicle platform receives once this        command.

3.4.2.3. Hazardlight_Mode_Command

Command to control the hazardlight mode of the vehicle platform

Values

TABLE 37 value Description remarks 0 OFF command for hazardlight OFF 1ON command for hazardlight ON

Remarks

-   -   Driver input overrides this command.    -   Hazardlight is active during Vehicle Platform receives ON        command.

3.4.2.4. Horn Pattern Command

Command to control the pattern of horn ON-time and OFF-time per cycle ofthe vehicle platform

Values

TABLE 38 value Description remarks 0 No request 1 Pattern 1 ON-time: 250ms OFF-time: 750 ms 2 Pattern 2 ON-time: 500 ms OFF-time: 500 ms 3Pattern 3 reserved 4 Pattern 4 reserved 5 Pattern 5 reserved 6 Pattern 6reserved 7 Pattern 7 Reserved

Remarks

-   -   Pattern 1 is assumed to use single short ON, Pattern 2 is        assumed to use ON-OFF repeating.    -   Detail is under internal discussion.

3.4.2.5. Horn_Number_of_Cycle_Command

Command to control the Number of horn ON/OFF cycle of the vehicleplatform

Values

0˜7 [−]

Remarks

-   -   Detail is under internal discussion.

3.4.2.6. Horn_Continuous_Command

Command to control of horn ON of the vehicle platform

Values

TABLE 39 value Description remarks 0 No request 1 ON request

Remarks

-   -   This command overrides Horn Pattern Command,        Horn_Number_of_Cycle_Command.    -   Horn is active during Vehicle Platform receives ON command.    -   Detail is under internal discussion.

3.4.2.7. Windshieldwiper_Mode_Front_Command

Command to control the front windshield wiper of the vehicle platform

Values

TABLE 40 value Description remarks 0 OFF mode request 1 Lo mode request2 Hi mode request 3 Intermittent mode request 4 Auto mode request 5 Mistmode request One-Time Wiping 6, 7 Reserved

Remarks

-   -   This command is under internal discussion the timing of valid.    -   This command is valid when        Windshieldwiper_Front_Driver_Input=OFF or Auto mode ON.    -   Driver input overrides this command.    -   Windshieldwiper mode is kept during Vehicle platform is        receiving the command.

3.4.2.8. Windshieldwiper_Intermittent_Wiping_Speed_Command

Command to control the Windshield wiper actuation interval at theIntermittent mode

Values

TABLE 41 value Description remarks 0 FAST 1 SECOND FAST 2 THIRD FAST 3SLOW

Remarks

-   -   This command is valid when        Windshieldwiper_Mode_Front_Status=INT.    -   Driver input overrides this command.    -   Windshieldwiper intermittent mode changes when Vehicle platform        receives once this command.

3.4.2.9. Windshieldwiper Mode Rear Command

Command to control the rear windshield wiper mode of the vehicleplatform

Values

TABLE 42 value Description Remarks 0 OFF mode request 1 Lo mode request2 reserved 3 Intermittent mode request 4-7 reserved

Remarks

-   -   Driver input overrides this command.    -   Windshieldwiper mode is kept during Vehicle platform is        receiving the command.    -   Wiping speed of intermittent mode is not variable.

3.4.2.10. Hvac_1st_Command

Command to start/stop 1st row air conditioning control

Values

TABLE 43 value Description Remarks 00 No request 01 ON means turning the1st air conditioning control to ON 02 OFF means turning the 1st airconditioning control to OFF

Remarks

-   -   The hvac of S-AM has a synchronization functionality.

Therefore, in order to control 4 (four) hvacs (1st_left/right,2nd_left/right) individually, VCIB achieves the following procedureafter Ready-ON. (This functionality will be implemented from the CV.)

#1: Hvac_1st_Command=ON

#2: Hvac_2nd_Command=ON

#3: Hvac_TargetTemperature_2nd_Left_Command

#4: Hvac_TargetTemperature_2nd_Right_Command

#5: Hvac_Fan_Level_2nd_Row_Command

#6: Hvac_2nd_Row_AirOutlet_Mode_Command

#7: Hvac_TargetTemperature_1st_Left_Command

#8: Hvac_TargetTemperature_1st_Right_Command

#9: Hvac_Fan_Level_1st_Row_Command

#10: Hvac_1st_Row_AirOutlet_Mode_Command

* The interval between each command needs 200 ms or more.

* Other commands are able to be executed after #1.

3.4.2.11. Hvac_2nd_Command

Command to start/stop 2nd row air conditioning control

Values

TABLE 44 value Description Remarks 00 No request 01 ON means turning the2nd air conditioning control to ON 02 OFF means turning the 2nd airconditioning control to OFF

Remarks

-   -   N/A

3.4.2.12. Hvac_TargetTemperature_1st_Left_Command

Command to set the target temperature around front left area

Values

TABLE 45 value Description Remarks 0 No request 60 to 85 [unit: ° F.](by 1.0° F.) Temperature direction

Remarks

-   -   N/A

3.4.2.13. Hvac_TargetTemperature_1st_Right_Command

Command to set the target temperature around front right area

Values

TABLE 46 value Description Remarks 0 No request 60 to 85 [unit: ° F.](by 1.0° F.) Temperature direction

Remarks

-   -   N/A

3.4.2.14. Hvac_TargetTemperature_2nd_Left_Command

Command to set the target temperature around rear left area

Values

TABLE 47 value Description Remarks 0 No request 60 to 85 [unit: ° F.](by 1.0° F.) Temperature direction

Remarks

-   -   N/A

3.4.2.15. Hvac_TargetTemperature_2nd_Right_Command

Command to set the target temperature around rear right area

Values

TABLE 48 value Description Remarks 0 No request 60 to 85 [unit: ° F.](by 1.0° F.) Temperature direction

Remarks

-   -   N/A

3.4.2.16. Hvac_Fan_Level_1st_Row_Command

Command to set the fan level on the front AC

Values

TABLE 49 value Description Remarks 0 No request 1 to 7 (Maximum) Fanlevel direction

Remarks

-   -   If you would like to turn the fan level to 0 (OFF), you should        transmit “Hvac_1st_Command=OFF”.    -   If you would like to turn the fan level to AUTO, you should        transmit “Hvac_1st_Command=ON”.

3.4.2.17. Hvac_Fan_Level_2nd_Row_Command

Command to set the fan level on the rear AC

Values

TABLE 50 value Description Remarks 0 No request 1 to 7 (Maximum) Fanlevel direction

Remarks

-   -   If you would like to turn the fan level to 0 (OFF), you should        transmit “Hvac_2nd_Command=OFF”.    -   If you would like to turn the fan level to AUTO, you should        transmit “Hvac_2nd_Command=ON”.

3.4.2.18. Hvac_1st_Row_AirOutlet_Mode_Command

Command to set the mode of 1st row air outlet

Values

TABLE 51 value Description Remarks 000b No Operation 001b UPPER Airflows to the upper body 010b U/F Air flows to the upper body and feet011b FEET Air flows to the feet. 100b F/D Air flows to the feet and thewindshield defogger operates

Remarks

-   -   N/A

3.4.2.19. Hvac_2nd_Row_AirOutlet_Mode_CommandCommand to set the mode of2nd row air outlet

Values

TABLE 52 value Description Remarks 000b No Operation 001b UPPER Airflows to the upper body 010b U/F Air flows to the upper body and feet011b FEET Air flows to the feet.

Remarks

-   -   N/A

3.4.2.20. Hvac_Recirculate_Command

Command to set the air recirculation mode

Values

TABLE 53 value Description Remarks 00 No request 01 ON means turning theair recirculation mode ON 02 OFF means turning the air recirculationmode OFF

Remarks

-   -   N/A

3.4.2.21. Hvac_AC_Command

Command to set the AC mode

Values

TABLE 54 value Description remarks 00 No request 01 ON means turning theAC mode ON 02 OFF means turning the AC mode OFF

Remarks

-   -   N/A

3.4.3. Outputs

TABLE 55 Signal Name Description Redundancy Turnsignallight_Mode_StatusStatus of the current turnsignallight N/A mode of the vehicle platformHeadlight_Mode_Status Status of the current headlight mode N/A of thevehicle platform Hazardlight_Mode_Status Status of the currenthazardlight N/A mode of the vehicle platform Horn_Status Status of thecurrent horn of the N/A vehicle platformWindshieldwiper_Mode_Front_Status Status of the current front windshieldN/A wiper mode of the vehicle platform Windshieldwiper_Mode_Rear_StatusStatus of the current rear windshield N/A wiper mode of the vehicleplatform Hvac_1^(st)_Status Status of activation of the 1^(st) row N/AHVAC Hvac_2^(nd)_Status Status of activation of the 2^(nd) row N/A HVACHvac_Temperature_1^(st)_Left_Status Status of set temperature of 1^(st)row N/A left Hvac_Temperature_1^(st)_Right_Status Status of settemperature of 1^(st) row N/A right Hvac_Temperature_2^(nd)_Left_StatusStatus of set temperature of 2^(nd) row N/A leftHvac_Temperature_2^(nd)_Right_Status Status of set temperature of 2^(nd)row N/A right Hvac_Fan_Level_1^(st)_Row_Status Status of set fan levelof 1^(st) row N/A Hvac_Fan_Level_2^(nd)_Row_Status Status of set fanlevel of 2^(nd) row N/A Hvac_1st_Row_AirOutlet_Mode_Status Status ofmode of 1st row air outlet N/A Hvac_2nd_Row_AirOutlet_Mode_Status Statusof mode of 2nd row air outlet N/A Hvac_Recirculate_Status Status of setair recirculation mode N/A Hvac_AC_Status Status of set AC mode N/A1st_Right_Seat_Occupancy_Status Seat occupancy status in 1st left — seat1st_Left_Seat_Belt_Status Status of driver's seat belt buckle — switch1st_Right_Seat_Belt_Status Status of passenger's seat belt — buckleswitch 2nd_Left_Seat_Belt_Status Seat belt buckle switch status in 2nd —left seat 2nd_Right_Seat_Belt_Status Seat belt buckle switch status in2nd — right seat

3.4.3.1. Turnsignallight_Mode_Status

Status of the current turnsignallight mode of the vehicle platform

Values

TABLE 56 value Description Remarks 0 OFF Turn lamp = OFF 1 Left Turnlamp L = ON (flashing) 2 Right Turn lamp R = ON (flashing) 3 invalid

Remarks

-   -   At the time of the disconnection detection of the turn lamp,        state is ON.    -   At the time of the short detection of the turn lamp, State is        OFF.

3.4.3.2. Headlight_Mode_Status

Status of the current headlight mode of the vehicle platform

Values

TABLE 57 Value Description Remarks 0 OFF 1 TAIL 2 Lo 3 reserved 4 Hi 5-6reserved 7 invalid

Remarks

N/A

Detailed Design

-   -   At the time of tail signal ON, Vehicle Platform sends 1.    -   At the time of Lo signal ON, Vehicle Platform sends 2.    -   At the time of Hi signal ON, Vehicle Platform sends 4.    -   At the time of any signal above OFF, Vehicle Platform sends 0.

3.4.3.3. Hazardlight_Mode_Status

Status of the current hazard lamp mode of the vehicle platform

Values

TABLE 58 Value Description Remarks 0 OFF Hazard lamp = OFF 1 HazardHazard lamp = ON (flashing) 2 reserved 3 invalid

Remarks

N/A

3.4.3.4. Horn_Status

Status of the current horn of the vehicle platform

Values

TABLE 59 Value Description Remarks 0 OFF 1 ON 2 reserved (unsupport) 3invalid (unsupport)

Remarks

-   -   cannot detect any failure.    -   Vehicle platform sends “1” during Horn Pattern Command is        active, if the horn is OFF.

3.4.3.5. Windshieldwiper_Mode_Front_Status

Status of the current front windshield wiper mode of the vehicleplatform

Values

TABLE 60 Value Description Remarks 0 OFF Front wiper stopped 1 Lo Frontwiper being active in LO mode (also including being active in MIST,being active in coordination with washer, and being wiping at speedother than HI) 2 Hi Front wiper being active in HI mode 3 INT Frontwiper being active in INT mode (also including motor stop while beingactive in INT mode and being active in INT mode owing to vehicle speedchange function) 4-5 reserved 6 fail Front wiper failed 7 invalid

TABLE 61 Value Description Remarks 0 OFF Front wiper is stopped. 1 LoFront wiper is in LO mode (include in MIST mode, operation with washer,Medium speed). 2 Hi Front wiper is in HI mode. 3 INT Front wiper is inINT mode (include motor stopped between INT mode, INT operation ofvehicle speed change function). 4-5 reserved 6 fail Front wiper is fail.7 invalid

Remarks

Fail Mode Conditions

-   -   detect signal discontinuity    -   cannot detect except the above failure.

3.4.3.6. Windshieldwiper_Mode_Rear_Status

Status of the current rear windshield wiper mode of the vehicle platform

Values

TABLE 62 Value Description Remarks 0 OFF Rear wiper stopped 1 Lo Rearwiper being in LO mode 2 reserved 3 INT Rear wiper being in INT mode 4-5reserved 6 fail Rear wiper failed 7 invalid

Remarks

-   -   cannot detect any failure.

3.4.3.7. Hvac_1st_Status

Status of activation of the 1st row HVAC

Values

TABLE 63 value Description remarks 0b OFF 1b ON

Remarks

-   -   N/A

3.4.3.8. Hvac_2nd_Status

Status of activation of the 2nd row HVAC

Values

TABLE 64 value Description remarks 0b OFF 1b ON

Remarks

-   -   N/A

3.4.3.9. Hvac_Temperature_1st_Left_Status

Status of set temperature of 1st row left

Values

TABLE 65 value Description remarks  0 Lo Max cold 60 to 85 [unit: ° F.]Target temperature 100 Hi Max hot FFh Unknown

Remarks

-   -   N/A

3.4.3.10. Hvac_Temperature_1st_Right_Status

Status of set temperature of 1st row right

Values

TABLE 66 value Description remarks  0 Lo Max cold 60 to 85 [unit: ° F.]Target temperature 100 Hi Max hot FFh Unknown

Remarks

-   -   N/A

3.4.3.11. Hvac_Temperature_2nd_Left_Status

Status of set temperature of 2nd row left

Values

TABLE 67 value Description remarks  0 Lo Max cold 60 to 85 [unit: ° F.]Target temperature 100 Hi Max hot FFh Unknown

Remarks

-   -   N/A

3.4.3.12. Hvac_Temperature_2nd_Right_Status

Status of set temperature of 2nd row right

Values

TABLE 68 value Description remarks  0 Lo Max cold 60 to 85 [unit: ° F.]Target temperature 100 Hi Max hot FFh Unknown

Remarks

-   -   N/A

3.4.3.13. Hvac_Fan_Level_1st_Row_Status

Status of set fan level of 1st row

Values

TABLE 69 value Description remarks 0 OFF 1-7 Fan Level 8 Undefined

Remarks

-   -   N/A

3.4.3.14. Hvac_Fan_Level_2nd_Row_Status

Status of set fan level of 2nd row

Values

TABLE 70 value Description remarks 0 OFF 1-7 Fan Level 8 Undefined

Remarks

-   -   N/A

3.4.3.15. Hvac_1st_Row_AirOutlet_Mode_Status

Status of mode of 1st row air outlet

Values

TABLE 71 value Description remarks 000b ALL OFF when Auto mode is set001b UPPER Air flows to the upper body 010b U/F Air flows to the upperbody and feet 011b FEET Air flows to the feet. 100b F/D Air flows to thefeet and the windshield defogger operates 101b DEF The windshielddefogger operates 111b Undefined

Remarks

-   -   N/A

3.4.3.16. Hvac_2nd_Row_AirOutlet_Mode_Status

Status of mode of 2nd row air outlet

Values

TABLE 72 value Description remarks 000b ALL OFF when Auto mode is set001b UPPER Air flows to the upper body 010b U/F Air flows to the upperbody and feet 011b FEET Air flows to the feet. 111b Undefined

Remarks

-   -   N/A

3.4.3.17. Hvac Recirculate Status

Status of set air recirculation mode

Values

TABLE 73 value Description remarks 00 OFF means that the airrecirculation mode is OFF 01 ON means that the air recirculation mode isON

Remarks

-   -   N/A

3.4.3.18. Hvac_AC_Status

Status of set AC mode

Values

TABLE 74 value Description remarks 00 OFF means that the AC mode is OFF01 ON means that the AC mode is ON

Remarks

-   -   N/A

3.4.3.19. 1st_Right_Seat_Occupancy_Status

Seat occupancy status in 1st left seat

Values

TABLE 75 value Description remarks 0 Not occupied 1 Occupied 2 UndecidedIG OFF or signal from sensor being lost 3 Failed

Remarks

When there is luggage on the seat, this signal may be set to “Occupied”.

3.4.3.20. 1st_Left_Seat_Belt_Status

Status of driver's seat belt buckle switch

Values

TABLE 76 value Description remarks 0 Buckled 1 Unbuckled 2 Undetermined3 Fault of a switch

Remarks

-   -   When Driver's seat belt buckle switch status signal is not set,        [undetermined] is transmitted.

It is checking to a person in charge, when using it. (Outputs“undetermined=10” as an initial value.)

-   -   The judgement result of buckling/unbuckling shall be transferred        to CAN transmission buffer within 1.3 s after IG_ON or before        allowing firing, whichever is earlier.

3.4.3.21. 1st_Right_Seat_Belt_Status

Status of passenger's seat belt buckle switch

Values

TABLE 77 value Description remarks 0 Buckled 1 Unbuckled 2 Undetermined3 Fault of a switch

Remarks

-   -   When Passenger's seat belt buckle switch status signal is not        set, [undetermined] is transmitted.

It is checking to a person in charge, when using it. (Outputs“undetermined=10” as an initial value.)

-   -   The judgement result of buckling/unbuckling shall be transferred        to CAN transmission buffer within 1.3 s after IG_ON or before        allowing firing, whichever is earlier.

3.4.3.22. 2nd_Left_Seat_Belt_Status

Seat belt buckle switch status in 2nd left seat

Values

TABLE 78 value Description remarks 0 Buckled 1 Unbuckled 2 Undetermined3 Reserved

Remarks

-   -   cannot detect sensor failure.

3.4.3.23. 2nd_Right_Seat_Belt_Status

Seat belt buckle switch status in 2nd right seat

Values

TABLE 79 value Description remarks 0 Buckled 1 Unbuckled 2 Undetermined3 Reserved

Remarks

-   -   cannot detect any failure.

3.5. APIs for Power control

3.5.1. Functions

T.B.D.

3.5.2. Inputs

TABLE 80 Signal Name Description Redundancy Power_Mode_Request Commandto control the power N/A mode of the vehicle platform

3.5.2.1. Power_Mode_Request

Command to control the power mode of the vehicle platform

Values

TABLE 81 Value Description Remarks 00 No request 01 Sleep means “ReadyOFF” 02 Wake means that VCIB turns ON 03 Resd Reserved for dataexpansion 04 Resd Reserved for data expansion 05 Resd Reserved for dataexpansion 06 Driving Mode means “Ready ON”

Remarks

-   -   Regarding “wake”, let us share how to achieve this signal on the        CAN. (See the other material) Basically, it is based on        “ISO11989-2:2016”. Also, this signal should not be a simple        value. Anyway, please see the other material.    -   This API will reject the next request for a certain time [4000        ms] after receiving a request.

The followings are the explanation of the three power modes, i.e.[Sleep][Wake][Driving Mode], which are controllable via API.

[Sleep]

Vehicle power off condition. In this mode, the high voltage battery doesnot supply power, and neither VCIB nor other VP ECUs are activated.

[Wake]

VCIB is awake by the low voltage battery. In this mode, ECUs other thanVCIB are not awake except for some of the body electrical ECUs.

[Driving Mode]

Ready ON mode. In this mode, the high voltage battery supplies power tothe whole VP and all the VP ECUs including VCIB are awake.

3.5.3. Outputs

TABLE 82 Signal Name Description Redundancy Power_Mode_Status Status ofthe current power N/A mode of the vehicle platform

3.5.3.1. Power_Mode_Status

Status of the current power mode of the vehicle platform

Values

TABLE 83 Value Description Remarks 00 Resd Reserved for same data alignas mode request 01 Sleep means “Ready OFF” 02 Wake means that the onlyVCIB turns ON 03 Resd Reserved for data expansion 04 Resd Reserved fordata expansion 05 Resd Reserved for data expansion 06 Driving Mode means“Ready ON” 07 unknown means unhealthy situation would occur

Remarks

-   -   VCIB will transmit [Sleep] as Power_Mode_Status continuously for        3000 [ms] after executing the sleep sequence. And then, VCIB        will be shutdown.

3.6. APIs for Safety

3.6.1. Functions

T.B.D.

3.6.2. Inputs

TABLE 84 Signal Name Description Redundancy T.B.D.

3.6.3. Outputs

TABLE 85 Signal Name Description Redundancy Request for OperationRequest for operation according to status of vehicle platform toward ADSPassive_Safety_Functions_Triggered Collision detection signal —Brake_System_Degradation_Modes Indicates AppliedBrake_System_Degradation_Modes Propulsive_System_Degradation_ModesIndicates N/A Propulsive_System_Degradation_ModesDirection_Control_Degradation_Modes Indicates N/ADirection_Control_Degradation_Modes WheelLock_Control_Degradation_ModesIndicates Applied WheelLock_Control_Degradation_ModesSteering_System_Degradation_Modes Indicates AppliedSteering_System_Degradation_Modes Power_System_Degradation_ModesIndicates Applied Power_System_Degradation_ModesCommunication_Degradation_Modes

3.6.3.1. Request for Operation

Request for operation according to status of vehicle platform toward ADS

Values

TABLE 86 value Description remarks 0 No request 1 Need maintenance 2Need back to garage 3 Need stopping safely immediately Others Reserved

Remarks

-   -   T.B.D.

3.6.3.2. Passive_Safety_Functions_Triggered

Crash detection Signal

Values

TABLE 87 value Description remarks 0 Normal 5 Crash Detection (airbag) 6Crash Detection (high voltage circuit is shut off) 7 Invalid ValueOthers Reserved

Remarks

-   -   When the event of crash detection is generated, the signal is        transmitted 50 consecutive times every 100 [ms]. If the crash        detection state changes before the signal transmission is        completed, the high signal of priority is transmitted.

Priority: crash detection>normal

-   -   Transmits for 5 s regardless of ordinary response at crash,        because the vehicle breakdown judgment system shall send a        voltage OFF request for 5 s or less after crash in HV vehicle.

Transmission interval is 100 ms within fuel cutoff motion delayallowance time (1 s) so that data can be transmitted more than 5 times.In this case, an instantaneous power interruption is taken into account.

3.6.3.3. Brake_System_Degradation_Modes

Indicate Brake_System status

Values

TABLE 88 value Description remarks 0 Normal — 1 Failure detected —

Remarks

-   -   When the Failure is detected, Safe stop is moved.

3.6.3.4. Propulsive_System_Degradation_Modes

Indicate Powertrain_System status

Values

TABLE 89 value Description remarks 0 Normal — 1 Failure detected —

Remarks

-   -   When the Failure is detected, Safe stop is moved.

3.6.3.5. Direction_Control_Degradation_Modes

Indicate Direction_Control status

Values

TABLE 90 value Description remarks 0 Normal — 1 Failure detected —

Remarks

-   -   When the Failure is detected, Safe stop is moved.    -   When the Failure is detected, Propulsion Direction Command is        refused.

3.6.3.6. WheelLock_Control_Degradation_Modes

Indicate WheelLock_Control status

Values

TABLE 91 value Description remarks 0 Normal — 1 Failure detected —

Remarks

-   -   Primary indicates EPB status, and Secondary indicates SBW        indicates.    -   When the Failure is detected, Safe stop is moved.

3.6.3.7. Steering_System_Degradation_Modes

Indicate Steering_System status

Values

TABLE 92 value Description remarks 0 Normal — 1 Failure detected — 2Stationary steering Temporary lowering in performance not possible dueto high temperature or the like

Remarks

-   -   When the Failure are detected, Safe stop is moved.

3.6.3.8. Power_System_Degradation_Modes

[T.B.D]

3.6.3.9. Communication_Degradation_Modes

[T.B.D]

3.7. APIs for Security

3.7.1. Functions

T.B.D.

3.7.2. Inputs

TABLE 93 Signal Name Description Redundancy 1st_Left_Door_Lock_CommandCommand to control each door N/A 1st_Right_Door_Lock_Command lock of thevehicle platform N/A 2nd_Left_Door_Lock_Command Lock command supportsonly N/A 2nd_Right_Door_Lock_Command ALL Door Lock. N/A Unlock commandsupports 1st-left Door unlock only, and ALL Door unlock. Trunk DoorLock/unlock command include in ALL Door lock/unlockCentral_Vehicle_Lock_Exterior_Command Command to control the all doorN/A lock of the vehicle platform

3.7.2.1. 1st_Left_Door_Lock_Command, 1st_Right_Door_Lock_Command,2nd_Left_Door_Lock_Command, 2nd_Right_Door_Lock_Command

Command to control each door lock of the vehicle platform

Values

TABLE 94 Value Description Remarks 0 No Request 1 Lock (unsupported) 2Unlock 3 reserved

Remarks

-   -   Lock command supports only ALL Door Lock.    -   Unlock command supports 1st-left Door unlock only, and ALL Door        unlock.

3.7.2.2. Central Vehicle Lock Exterior Command

Command to control the all door lock of the vehicle platform.

Values

TABLE 95 Value Description Remarks 0 No Request 1 Lock (all) includetrunk lock 2 Unlock (all) include trunk unlock 3 reserved

Remarks

-   -   Lock command supports only ALL Door Lock.    -   Unlock command supports 1st-left Door unlock only, and ALL Door        unlock.

3.7.3. Outputs

TABLE 96 Signal Name Description Redundancy 1st_Left_Door_Lock_StatusStatus of the current 1st-left door N/A lock mode of the vehicleplatform 1st_Right_Door_Lock_Status Status of the current 1st-right doorN/A lock mode of the vehicle platform 2nd_Left_Door_Lock_Status Statusof the current 2nd-left door N/A lock mode of the vehicle platform2nd_Right_Door_Lock_Status Status of the current 2nd-right door N/A lockmode of the vehicle platform Central_Vehicle_Exterior_Locked_StatusStatus of the current all door lock N/A mode of the vehicle platformVehicle_Alarm_Status Status of the current vehicle alarm N/A of thevehicle platform

3.7.3.1. 1st_Left_Door_Lock_Status

Status of the current 1st-left door lock mode of the vehicle platform

Values

TABLE 97 value Description Remarks 0 reserved 1 Locked D seat locked 2Unlocked D seat unlocked 3 invalid

Remarks

-   -   cannot detect any failure.

3.7.3.2. 1st_Right_Door_Lock_Status

Status of the current 1st-right door lock mode of the vehicle platform

Values

TABLE 98 value Description remarks 0 reserved 1 Locked P seat locked 2Unlocked P seat unlocked 3 invalid

Remarks

-   -   cannot detect any failure.

3.7.3.3. 2nd_Left_Door_Lock_Status

Status of the current 2nd-left door lock mode of the vehicle platform

Values

TABLE 99 Value Description remarks 0 Reserved 1 Locked RL seat locked 2Unlocked RL seat unlocked 3 invalid

Remarks

-   -   cannot detect any failure.

3.7.3.4. 2nd_Right_Door_Lock_Status

Status of the current 2nd-right door lock mode of the vehicle platform

Values

TABLE 100 value Description remarks 0 reserved 1 Locked RR seat locked 2Unlocked RR seat unlocked 3 invalid

Remarks

-   -   cannot detect any failure.

3.7.3.5. Central_Vehicle_Exterior_Locked_Status

Status of the current all door lock mode of the vehicle platform

Values

TABLE 101 value Description remarks 0 Reserved (unsupport) 1 All Locked(unsupport) 2 Anything Unlocked (unsupport) 3 invalid (unsupport)

Remarks

-   -   Vehicle platform refers to each door lock status,    -   in case any door unlocked, sends 0.    -   in case all door locked, sends 1.

3.7.3.6. Vehicle_Alarm_Status

Status of the current vehicle alarm of the vehicle platform

Values

TABLE 102 Value Description remarks 0 Disarmed Auto alarm system notactive 1 Armed Auto alarm system active • not on alert 2 Active Autoalarm system active • on alert 3 invalid

Remarks

N/A

3.8. APIs for MaaS Service

3.8.1. Functions

T.B.D.

3.8.2. Inputs

TABLE 103 Signal Name Description Redundancy T.B.D.

3.8.3. Outputs

TABLE 104 Signal Name Description Redundancy T.B.D.

Example 2

Toyota's MaaS Vehicle Platform

Architecture Specification

[Standard Edition #0.1]

History of Revision

TABLE 105 Date of Revision ver. Summary of Revision Reviser 2019 Nov. 40.1 Creating a new material MaaS Business Div.

Index

1. General Concept 4 1.1. Purpose of this Specification 4 1.2. TargetVehicle Type 4 1.3. Target Electronic Platform 4 1.4. Definition of Term4 1.5. Precaution for Handling 4 1.6. Overall Structure of MaaS 4 1.7.Adopted Development Process 6 1.8. ODD (Operational Design Domain) 6 2.Safety Concept 7 2.1. Outline 7 2.2. Hazard analysis and risk assessment7 2.3. Allocation of safety requirements 8 2.4. Redundancy 8 3. SecurityConcept 10 3.1. Outline 10 3.2. Assumed Risks 10 3.3. Countermeasure forthe risks 10 3.3.1. The countermeasure for a remote attack 11 3.3.2. Thecountermeasure for a modification 11 3.4. Addressing Held DataInformation 11 3.5. Addressing Vulnerability 11 3.6. Contract withOperation Entity 11 4. System Architecture 12 4.1. Outline 12 4.2.Physical LAN architecture (in-Vehicle) 12 4.3. Power Supply Structure 145. Function Allocation 15 5.1. in a healthy situation 15 5.2. in asingle failure 16 6. Data Collection 18 6.1. At event 18 6.2. Constantly18

1. General Concept

1.1. Purpose of this Specification

This document is an architecture specification of Toyota's MaaS VehiclePlatform and contains the outline of system in vehicle level.

1.2. Target Vehicle Type

This specification is applied to the Toyota vehicles with the electronicplatform called 19ePF [ver.1 and ver.2].

The representative vehicle with 19ePF is shown as follows.

e-Palette, Sienna, RAV4, and so on.

1.3. Definition of Term

TABLE 106 Term Definition ADS Autonomous Driving System. ADK AutonomousDriving Kit VP Vehicle Platform. VCIB Vehicle Control Interface Box.This is an ECU for the interface and the signal converter between ADSand Toyota VP's sub systems.

1.4. Precaution for Handling

This is an early draft of the document.

All the contents are subject to change. Such changes are notified to theusers. Please note that some parts are still T.B.D. will be updated inthe future.

2. Architectural Concept

2.1. Overall Structure of MaaS

The overall structure of MaaS with the target vehicle is shown (FIG.20).

Vehicle control technology is being used as an interface for technologyproviders.

Technology providers can receive open API such as vehicle state andvehicle control, necessary for development of automated driving systems.

2.2. Outline of System Architecture on the Vehicle

The system architecture on the vehicle as a premise is shown (FIG. 21).

The target vehicle of this document will adopt the physical architectureof using CAN for the bus between ADS and VCIB. In order to realize eachAPI in this document, the CAN frames and the bit assignments are shownin the form of “bit assignment chart” as a separate document.

2.3. Outline of Power Supply Architecture on the Vehicle

The power supply architecture as a premise is shown as follows (FIG.22).

The blue colored parts are provided from an ADS provider. And the orangecolored parts are provided from the VP.

The power structure for ADS is isolate from the power structure for VP.Also, the ADS provider should install a redundant power structureisolated from the VP.

3. Safety Concept

3.1. Overall Safety Concept

The basic safety concept is shown as follows.

The strategy of bringing the vehicle to a safe stop when a failureoccurs is shown as follows (FIG. 23).

1. After occurrence of a failure, the entire vehicle executes “detectinga failure” and “correcting an impact of failure” and then achieves thesafety state 1.

2. Obeying the instructions from the ADS, the entire vehicle stops in asafe space at a safe speed (assumed less than 0.2G).

However, depending on a situation, the entire vehicle should happen adeceleration more than the above deceleration if needed.

3. After stopping, in order to prevent slipping down, the entire vehicleachieves the safety state 2 by activating the immobilization system.

TABLE 107 category content Precondition Only one single failure at atime across the entire integrated vehicle. (Multiple failures are notcovered) After the initial single failure, no other failure isanticipated in the duration in which the functionality is maintained.Responsibility In case of a single failure, the integrated vehicleshould for the vehicle maintain the necessary functionality for safetystop. platform until The functionality should be maintained for 15(fifteen) safety state 2 seconds. Basic [For ADS] Responsibility The ADSshould create the driving plan, and should Sharing indicate vehiclecontrol values to the VP. [For Toyota vehicle platform] The Toyota VPshould control each system of the VP based on indications from the ADS.

See the separated document called “Fault Management” regardingnotifiable single failure and expected behavior for the ADS.

3.2. Redundancy

The redundant functionalities with Toyota's MaaS vehicle are shown.

Toyota's Vehicle Platform has the following redundant functionalities tomeet the safety goals led from the functional safety analysis.

Redundant Braking

Any single failure on the Braking System doesn't cause loss of brakingfunctionality. However, depending on where the failure occurred, thecapability left might not be equivalent to the primary system'scapability. In this case, the braking system is designed to prevent thecapability from becoming 0.3 G or less.

Redundant Steering

Any single failure on the Steering System doesn't cause loss of steeringfunctionality. However, depending on where the failure occurred, thecapability left might not be equivalent to the primary system'scapability. In this case, the steering system is designed to prevent thecapability from becoming 0.3 G or less.

Redundant Immobilization

Toyota's MaaS vehicle has 2 immobilization systems, i.e. P lock and EPB.Therefore, any single failure of immobilization system doesn't causeloss of the immobilization capability. However, in the case of failure,maximum stationary slope angle is less steep than when the systems arehealthy.

Redundant Power

Any single failure on the Power Supply System doesn't cause loss ofpower supply functionality. However, in case of the primary powerfailure, the secondary power supply system keeps supplying power to thelimited systems for a certain time.

Redundant Communication

Any single failure on the Communication System doesn't cause loss of allthe communication functionality. System which needs redundancy hasphysical redundant communication lines. For more detail information, seethe chapter “Physical LAN architecture (in-Vehicle)”.

4. Security Concept

4.1. Outline

Regarding security, Toyota's MaaS vehicle adopts the security documentissued by Toyota as an upper document.

4.2. Assumed Risks

The entire risk includes not only the risks assumed on the base e-PF butalso the risks assumed for the Autono-MaaS vehicle.

The entire risk is shown as follows.

[Remote Attack]

-   -   To vehicle        -   Spoofing the center        -   ECU Software Alternation        -   DoS Attack        -   Sniffering    -   From vehicle        -   Spoofing the other vehicle        -   Software Alternation for a center or an ECU on the other            vehicle        -   DoS Attack to a center or other vehicle        -   Uploading illegal data    -   [Modification]        -   Illegal Reprogramming        -   Setting up an illegal ADK        -   Installation of an unauthenticated product by a customer

4.3. Countermeasure for the Risks

The countermeasure of the above assumed risks is shown as follows.

4.3.1. The Countermeasure for a Remote Attack

The countermeasure for a remote attack is shown as follows.

Since the autonomous driving kit communicates with the center of theoperation entity, end-to-end security should be ensured. Since afunction to provide a travel control instruction is performed,multi-layered protection in the autonomous driving kit is required. Usea secure microcomputer or a security chip in the autonomous driving kitand provide sufficient security measures as the first layer againstaccess from the outside. Use another secure microcomputer and anothersecurity chip to provide security as the second layer. (Multi-layeredprotection in the autonomous driving kit including protection as thefirst layer to prevent direct entry from the outside and protection asthe second layer as the layer below the former)

4.3.2. The Countermeasure for a Modification

The countermeasure for a modification is shown as follows.

For measures against a counterfeit autonomous driving kit, deviceauthentication and message authentication are carried out. In storing akey, measures against tampering should be provided and a key set ischanged for each pair of a vehicle and an autonomous driving kit.Alternatively, the contract should stipulate that the operation entityexercise sufficient management so as not to allow attachment of anunauthorized kit. For measures against attachment of an unauthorizedproduct by an Autono-MaaS vehicle user, the contract should stipulatethat the operation entity exercise management not to allow attachment ofan unauthorized kit.

In application to actual vehicles, conduct credible threat analysistogether, and measures for addressing most recent vulnerability of theautonomous driving kit at the time of LO should be completed.

5. Function Allocation

5.1. In a Healthy Situation

The allocation of representative functionalities is shown as below (FIG.24).

[Function Allocation]

TABLE 108 Function category Function name Related to # remarks PlanningPlan for driving path 0 Calculating control 0 e.g. longitudinal Gindications Overall API Pub/Sub 1 One system with redundancy SecurityAutonomy Driving Kit 1 One system with Authentication redundancy Message1 One system with Authentication redundancy Door locking control 8Longitudinal/Lateral Motion control 2 (Primary), 3 (Secondary)Propulsion control 4 Braking control 2, 3 Two units controlled accordingto deceleration requirement Steering control 5 One system withredundancy Immobilization control 2 (EPB), 6 (P Lock) Shift control 6Power supply Secondary battery 7 control Vehicle power control 10  Formore information, see the API specification. Access/Comfort Body control8 Turn signal, Headlight, Window, etc. HVAC control 9 Data Data logging(at event) 1 Data logging 1 (constantly)

5.2. In a Single Failure

See the separated document called “Fault Management” regardingnotifiable single failure and expected behavior for the ADS.

Though embodiments of the present disclosure have been described above,it should be understood that the embodiments disclosed herein areillustrative and non-restrictive in every respect. The scope of thepresent invention is defined by the terms of the claims and is intendedto include any modifications within the scope and meaning equivalent tothe terms of the claims.

What is claimed is:
 1. A vehicle comprising: an autonomous drivingsystem; and a vehicle platform that controls the vehicle in response toa command received from the autonomous driving system, wherein theautonomous driving system sends to the vehicle platform a commandincluding a first command to request acceleration and deceleration and asecond command to request to maintain stationary, the autonomous drivingsystem obtains a first signal indicating a longitudinal velocity of thevehicle and a second signal indicating a standstill status, and when theautonomous driving system issues the first command to request thevehicle platform to provide deceleration to stop the vehicle and thefirst signal indicates 0 km/h or a prescribed velocity or less, theautonomous driving system issues the second command to request thevehicle platform to maintain stationary, after brake hold control isfinished, the second signal indicates standstill, and until the secondsignal indicates standstill, the first command continues to request thevehicle platform to provide deceleration.
 2. The vehicle according toclaim 1, wherein the first command continues to request a constantdeceleration value during a period from when the second command requeststo maintain stationary until the second signal indicates standstill. 3.The vehicle according to claim 2, wherein the constant decelerationvalue is −0.4 m/s².
 4. The vehicle according to claim 1, wherein theautonomous driving system further obtains a third signal indicating amoving direction of the vehicle, and the brake hold control is startedwhen the first command requests deceleration, the second commandrequests to maintain stationary, and the third signal indicatesstandstill.
 5. The vehicle according to claim 1, wherein when theautonomous driving system issues the first command to request thevehicle platform to provide deceleration to stop the vehicle, andthereafter, before the brake hold control is finished the requestthrough the first command for deceleration is cancelled, transitioningto the brake hold control is canceled.
 6. The vehicle according to claim1, wherein when the autonomous driving system issues the second commandto request the vehicle platform to maintain stationary, and thereafter,before the brake hold control is finished the request through the secondcommand to maintain stationary is cancelled, transitioning to the brakehold control is canceled.
 7. The vehicle according to claim 1, whereinwhen the brake hold control is finished and thereafter the requestthrough the second command to maintain stationary still continues, thevehicle continues standstill while the request through the secondcommand to maintain stationary continues.
 8. The vehicle according toclaim 1, wherein the vehicle includes an electric parking brake, andwhen the second signal continues to indicate standstill for a prescribedperiod of time, the electric parking brake is activated.
 9. The vehicleaccording to claim 1, wherein when, in order to start the vehicle, theautonomous driving system cancels the brake hold control by setting thesecond command, the vehicle platform controls acceleration/decelerationof the vehicle based on the first command.
 10. A vehicle comprising: avehicle platform that controls the vehicle; and a vehicle controlinterface that mediates communication of a signal between the vehicleplatform and an autonomous driving system, wherein by attaching theautonomous driving system to the vehicle, the vehicle platform can carryout autonomous driving control of the vehicle in response to a commandreceived from the autonomous driving system, the autonomous drivingsystem sends to the vehicle platform through the vehicle controlinterface a command including a first command to request accelerationand deceleration and a second command to request to maintain stationary,the vehicle control interface outputs to the autonomous driving system afirst signal indicating a longitudinal velocity of the vehicle and asecond signal indicating a standstill status, when the autonomousdriving system issues the first command to request the vehicle platformto provide deceleration to stop the vehicle and the first signalindicates 0 km/h or a prescribed velocity or less, the vehicle controlinterface requests the autonomous driving system to issue the secondcommand to maintain stationary, and the vehicle control interfacerequests the autonomous driving system to continuously transmit thefirst command to request deceleration until the second signal indicatesstandstill in response to the second command.
 11. The vehicle accordingto claim 10, wherein the vehicle control interface outputs to theautonomous driving system a third signal indicating a moving directionof the vehicle, and brake hold control is started when the first commandrequests deceleration, the second command requests to maintainstationary, and the third signal indicates standstill.
 12. The vehicleaccording to claim 11, wherein when the autonomous driving system issuesthe first command to request the vehicle platform to providedeceleration to stop the vehicle, and thereafter, before the brake holdcontrol is finished the request through the first command fordeceleration is cancelled, transitioning to the brake hold control iscanceled.
 13. The vehicle according to claim 11, wherein when theautonomous driving system issues the second command to request thevehicle platform to maintain stationary, and thereafter, before thebrake hold control is finished the request through the second command tomaintain stationary is cancelled, transitioning to the brake holdcontrol is canceled.
 14. The vehicle according to claim 11, wherein whenthe brake hold control is finished and thereafter the request throughthe second command to maintain stationary still continues, the vehiclecontinues standstill while the request through the second command tomaintain stationary continues.
 15. The vehicle according to claim 10,wherein the vehicle includes an electric parking brake, and when thesecond signal continues to indicate standstill for a prescribed periodof time, the electric parking brake is activated.
 16. The vehicleaccording to claim 10, wherein when, in order to start the vehicle, theautonomous driving system cancels the brake hold control by setting thesecond command, the vehicle platform controls acceleration/decelerationof the vehicle based on the first command.
 17. An autonomous drivingsystem comprising a computer that sends a command to a vehicle platform,wherein the computer sends to the vehicle platform a command including afirst command to request acceleration and deceleration and a secondcommand to request to maintain stationary, the computer obtains a firstsignal indicating a longitudinal velocity of the vehicle and a secondsignal indicating a standstill status, when the computer issues thefirst command to request the vehicle platform to provide deceleration tostop a vehicle and the first signal indicates 0 km/h or a prescribedvelocity or less, the computer issues the second command to request thevehicle platform to maintain stationary, and until the second signalindicates standstill in response to the second command, the computerissues the first command to continue to request the vehicle platform toprovide deceleration.
 18. The autonomous driving system according toclaim 17, wherein the computer issues the first command to continue torequest a constant deceleration value during a period from when thesecond command requests to maintain stationary until the second signalindicates standstill.
 19. The autonomous driving system according toclaim 18, wherein the constant deceleration value is −0.4 m/s².